Detections
Analytics
Sonatype Nexus Repository Manager Java Object Deserialization RCE
critical Nessus Plugin ID 92467
Language:
Synopsis
The Nexus Repository Manager server running on the remote host is affected by a remote code execution vulnerability.Description
The Sonatype Nexus Repository Manager server application running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending specially crafted Java objects to the HTTP interface, to execute arbitrary code on the target host.Solution
Upgrade to Sonatype Nexus Repository Manager version 2.11.2-01 or later.See Also
http://www.nessus.org/u?9c6d83db
http://www.sonatype.org/advisories/archive/2016-06-20-Nexus/
Plugin Details
Severity: Critical
ID: 92467
File Name: sonatype_nexus_deserialization.nasl
Version: 1.5
Type: remote
Family: Misc.
Published: 7/20/2016
Updated: 11/15/2018
Supported Sensors: Nessus
Risk Information
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: cpe:/a:sonatype:nexus
Required KB Items: installed_sw/Sonatype Nexus
Patch Publication Date: 6/20/2016
Vulnerability Publication Date: 1/28/2015
Reference Information
CERT: 576313