Miggo Logo

CVE-2019-16530: Unrestricted Upload of File with Dangerous Type in Sonatype Nexus Repository Manager

7.2

CVSS Score
3.1

Basic Information

EPSS Score
0.87969%
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.sonatype.nexus:nexus-repositorymaven>= 2.0.0, < 2.14.152.14.15
org.sonatype.nexus:nexus-repositorymaven>= 3.0.0, < 3.19.03.19.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CWE-434) involves unrestricted file uploads leading to RCE. Without patch details, we infer: 1) Upload handling functions would lack file type validation 2) Storage functions would persist dangerous files 3) REST endpoints would accept malicious payloads. These functions represent the critical path where unvalidated uploads would be processed. Confidence is medium as analysis is based on vulnerability pattern matching rather than explicit patch code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Son*typ* N*xus R*pository M*n***r *.x ***or* *.**.** *n* *.x ***or* *.**, *n* IQ S*rv*r ***or* **, **s r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility (*W*-***) involv*s unr*stri*t** *il* uplo**s l***in* to R**. Wit*out p*t** **t*ils, w* in**r: *) Uplo** **n*lin* `*un*tions` woul* l**k *il* typ* v*li**tion *) Stor*** `*un*tions` woul* p*rsist **n**rous *il*s *) R*ST `*n*points` wo