Vulnerability Description
There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sonatype | Nexus Repository Manager | <= 2.14.14 |
Related Weaknesses (CWE)
References
- https://hackerone.com/reports/688270Issue TrackingPatchThird Party Advisory
- https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Vendor Advisory
- https://hackerone.com/reports/688270Issue TrackingPatchThird Party Advisory
- https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Vendor Advisory
FAQ
What is CVE-2019-15588?
CVE-2019-15588 is a vulnerability with a CVSS score of 7.2 (HIGH). There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java ...
How severe is CVE-2019-15588?
CVE-2019-15588 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-15588?
Check the references section above for vendor advisories and patch information. Affected products include: Sonatype Nexus Repository Manager.