Miggo Logo
Miggo Vulnerability Database
CVE-2019-5475

CVE-2019-5475: OS Command Injection in Nexus Yum Repository Plugin

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-5475
GHSA ID
GHSA-g5m7-57ph-j6p8
EPSS Score
0.97984%
CWE
CWE-78
Published
9/11/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.sonatype.nexus.plugins:nexus-yum-repository-pluginmaven< 2.14.142.14.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly implicates CommandLineExecutor.java as the component handling vulnerable data. CWE-78 (OS Command Injection) patterns suggest improper sanitization of user input used in command execution. The function name 'CommandLineExecutor.execute' is a logical candidate for command execution logic, and the high severity RCE impact aligns with unfiltered command execution vulnerabilities. The Yum Configuration Capability's user-controllable parameters would flow through this component when generating repository metadata.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** N*xus Yum R*pository Plu*in in v* is vuln*r**l* to R*mot* *o** *x**ution w**n inst*n**s usin* *omm*n*Lin**x**utor.j*v* *r* suppli** vuln*r**l* **t*, su** *s t** Yum *on*i*ur*tion **p**ility.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly impli**t*s `*omm*n*Lin**x**utor.j*v*` *s t** *ompon*nt **n*lin* vuln*r**l* **t*. *W*-** (OS *omm*n* Inj**tion) p*tt*rns su***st improp*r s*nitiz*tion o* us*r input us** in *omm*n* *x**ution. T** *un*tion n*m*