CVE-2020-15012 | Nexus Repository Manager 2Ŀ¼±éÀú·ì϶¹«¸æ

°ä²¼¹¦·ò 2020-10-09

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2020-15012

ʱ   ¼ä

2020-10-09

Àà   ÐÍ

Ŀ¼±éÀú

µÈ   ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ


Ó°ÏìÁìÓò

Nexus Repository Manager 2 <=2.14.18

 

Nexus RepositoryÊÇÒ»¸ö¿ªÔ´µÄ²Ö¿âÖÎÀíϵͳ£¬£¬ £¬ £¬£¬ÔÚ×°Öá¢ÅäÖá¢Ê¹Óõ¥Ò»µÄ»ù´¡ÉÏÌṩÁËÔ½·¢·á˶µÄÖ°ÄÜ¡£¡£¡£¡£¡£ËüÊǴmavenµÄ¾µÏñµÄ¹¤¾ßÖ®Ò»£¬£¬ £¬ £¬£¬ÔÚÈ«ÇòÁìÓòÄÚʹÓÃ¿í·º¡£¡£¡£¡£¡£

0x01 ·ì϶ÏêÇé

image.png

 

2020Äê10ÔÂ08ÈÕ£¬£¬ £¬ £¬£¬Sonatype°ä²¼°²È«²¼¸æ£¬£¬ £¬ £¬£¬Nexus Repository Manager 2ÖдæÔÚÒ»¸öĿ¼±éÀú·ì϶£¬£¬ £¬ £¬£¬·ì϶¸ú×ÙΪCVE-2020-15012¡£¡£¡£¡£¡£³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷Õß¿ÉÄÜÖ´ÐÐĿ¼±éÀúÒÔ¶ÁÈ¡Ãô¸ÐÊý¾ÝÎļþ£¬£¬ £¬ £¬£¬²¢¶ÔÓû§¹«¿ªËÁÒâÎļþ¡£¡£¡£¡£¡£µ«ÒªÀûÓô˷ì϶£¬£¬ £¬ £¬£¬¹¥»÷Õß±ØÐëÓµÓжÔNexus Repository Manager instanceµÄÍøÂç½Ó¼ûȨÏÞ£¬£¬ £¬ £¬£¬ÄÜÁ¦²é¿´ÅäÖÃÎļþ»òÊܱ £»£»£»£»£»£»£»£»¤µÄÄÚÈÝ¡£¡£¡£¡£¡£

0x02 ´ëÖý¨Òé

Ä¿Ç°¹Ù·½ÒÑ°ä²¼°²È«¸üУ¬£¬ £¬ £¬£¬½¨Ò齫Nexus Repository Manager 2Éý¼¶µ½2.14.19×îа汾£º

ÏÂÔØÁ´½Ó£º

https://help.sonatype.com/repomanager2/download

0x03 ²Î¿¼Á´½Ó

https://support.sonatype.com/hc/en-us/articles/360051068253-CVE-2020-15012-Nexus-Repository-Manager-2-Directory-Traversal-2020-10-08

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15012

0x04 ¹¦·òÏß

2020-10-08  Sonatype°ä²¼°²È«²¼¸æ

2020-10-09  VSRC°ä²¼°²È«¹«¸æ

 

 

 

 

image.png