0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sonatype Nexus Repository Manager OSS/Pro Multiple Cross-Site Scripting Vulnerabilities
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
======================================================================= title: Multiple Cross-Site Scripting Vulnerabilities product: Sonatype Nexus Repository Manager OSS/Pro vulnerable version: <=2.14.5, <=3.7.1 fixed version: 2.14.6, 3.8.0 CVE number: CVE-2018-5306, CVE-2018-5307 impact: Medium homepage: https://www.sonatype.com/ found: 2017-12-12 by: Werner Schober, Daniel Ostovary (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "At Sonatype we have a long history of partnership with the world of open source software development. From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we exist for one simple reason; to help accelerate software innovation." Source: https://www.sonatype.com/about-sonatype Business recommendation: ------------------------ The Sonatype Nexus Repository Server is affected by multiple XSS vulnerabilities which could be used by an attacker to execute JavaScript code in the user's browser. The vendor provides a patch for both version 2 and 3 of the product which should be installed immediately. It is recommended to conduct a thorough security review by IT security professionals in order to identify potential other security issues. Vulnerability overview/description: ----------------------------------- 1) Reflected XSS vulnerability The parameters "repoId" and "format" of the "healthCheckFileDetail" function are vulnerable to reflected XSS. If the attacker can lure a user into clicking a crafted link he could execute arbitrary JavaScript code. In case the user has sufficient permissions, an attacker can create arbitrary (administrative) users or perform stored XSS attacks (see 2). 2) Stored XSS vulnerabilities The application is vulnerable to multiple stored XSS vulnerabilities, which are described in the following list. 2.1) The first one is located in the "File Upload" functionality of the "Staging Upload". Uploading a file with JavaScript code in its name allows to store JavaScript code, which gets triggered every time the file name is shown (e.g. in "Repositories"). 2.2) The second stored XSS vulnerability is more precisely being considered as stored DOM injection. This vulnerability affects the functionality of creating a new user. When doing so it is possible to inject JavaScript/HTML code in the username, which later gets rendered/executed every time the username is displayed. 2.3) The third stored XSS vulnerability is also a stored DOM injection. It affects the "IQ Server Connection"/"IQ Server Dashboard" functionality. The "IQ Server URL" field in the "IQ Server Connection" allows to inject JavaScript/HTML code into the menu bulletpoint "IQ Server Dashboard". The vendor provided the following CVE numbers: * CVE-2018-5306 - covers the XSS vulnerabilities in Nexus 3 * CVE-2018-5307 - covers the XSS vulnerabilities in Nexus 2 Proof of concept: ----------------- 1) Reflected XSS vulnerability By luring an attacker into clicking the following link, an arbitrary JavaScript payload will be executed: https://example.com/nexus/service/siesta/healthcheck/healthCheckFile Detail/.../index.html?repoId=public&format=<a href=javascript:alert(1)>sectest</test> Vulnerable parameters: -) repoId -) format 2) Stored XSS vulnerabilities ***Please note that only users with access to the respective functionalities are susceptive to the following stored XSS vulnerabilities.*** 2.1) The staging upload allows an attacker to upload a file, which contains a JavaScript payload in the filename. An example for a filename containing a "malicious" payload is as follows: "<img src=x onerror=alert(1)>.jpg" This file can be uploaded flawlessly and everytime the filename is displayed, the JavaScript payload gets executed. 2.2) An attacker is able to create a new user, which contains a malicious JavaScript payload in the username. As an example the following username can be used: "EvilAdmin<img/src='/nexus/static/icons/glyph_help.png'/onload='alert(1)'/width='0'" The payload is executed everytime the username is displayed (e.g. Login as EvilAdmin -> Create Repository -> Access repository via "Repositories" -> JavaScript code is being executed) 2.3) The nexus server allows to setup an IQ server connection. The server name is not validated and therefore allows the permanent injection of JavaScript code. To demonstrate the vulnerability the following IQ server URL can be set: 'https://example.com'</a><img onload=alert(1) src="/nexus/static/icons/glyph_help.png" width="0" The payload is executed everytime someone logs into the application. Vulnerable / tested versions: ----------------------------- These vulnerabilities have been found in the version 2.13.0-01. However none of the patch notes following the version 2.13.0-01 indicate a fix of these vulnerabilities. Vendor contact timeline: ------------------------ 2017-12-13: Contacting vendor through security () sonatype com (PGP encrypted) 2017-12-13: Sonatype responded that they are investigating the reported issues. 2017-12-15: Sonatype informed us that they are prioritizing a fix for all three issues disclosed. The current estimate for an available release is in the middle of January 2018-01-04: Sonatype followed up with more details and offered to request CVEs for the vulnerabilities. SEC Consult accepted that offer and request the affected versions as well as a planned release date. 2018-01-17: Sonatype replied that they identified more issues in other products (Nexus Server 2 and Nexus Server 3) with the same root cause and therefore need more time to fix the issues. The assigned CVE is CVE-2018-5307. 2018-01-25: Vendor provides updated information for affected version 2 2018-02-06: Vendor sends further information on affected versions & CVE numbers 2018-02-08: Vendor makes public announcement of security issues 2018-02-08: Public release of SEC Consult security advisory Solution: --------- The identified vulnerabilities have been fixed in version 2.14.6 and 3.8.0. The latest versions can be downloaded at the following URLs linked from the vendor's security advisory. Nexus Repository Manager version 3: https://support.sonatype.com/hc/en-us/articles/360000134968 (CVE-2018-5306) Nexus Repository Manager version 2: https://support.sonatype.com/hc/en-us/articles/360000134928 (CVE-2018-5307) Workaround: ----------- No workaround available. # 0day.today [2024-07-07] #