CVE-2019-7238: Insufficient Access Controls in Sonatype Nexus Repository Manager 3 Allows Remote Code Execution | Cell Phone Spy and Mobile Tracking Software
By Govind Sarda and Raghvendra Mishra A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype's Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,000 active installations, was discovered by @Rico of Tencent Security Yunding Lab and @voidfyoo of Chaitin Tech. Analysis of CVE-2019-7238 reveals that the exploitation of the security flaw doesn't require authentication. This makes it easier for attackers to send crafted requests to and execute arbitrary codes or programs on the host server. Sonatype has already released a patch for the vulnerability in NXRM 3.15 versions and above on January 11, 2019. Lack of Proper Access Control Methods Results in Remote Code Execution CVE-2019-7238 is an Expression Language