CVE-2019-15588

HIGH

Sonatype Nexus Repository Manager < 2.14.14 - Command Injection

Title source: rule

Description

There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.

Exploits (1)

nomisec SUSPICIOUS

by EXP-Docs · poc

https://github.com/EXP-Docs/CVE-2019-15588

View Code ZIP pw:eip

References (2)

Core 2

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/688270

Vendor Advisory x_refsource_confirm

https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Repository-Manager-2-OS-Command-Injection-2019-08-09

Scores

CVSS v3 7.2

EPSS 0.0730

EPSS Percentile 91.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78 CWE-77

Status published

Products (1)

sonatype/nexus_repository_manager < 2.14.14

Published Nov 01, 2019

Tracked Since Feb 18, 2026