CVE-2020-15012 | Nexus Repository Manager 2Ŀ¼±éÀúÎó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-10-09

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2020-15012

ʱ   ¼ä

2020-10-09

Àà   ÐÍ

Ŀ¼±éÀú

µÈ   ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ


Ó°Ïì¹æÄ£

Nexus Repository Manager 2 <=2.14.18

 

Nexus RepositoryÊÇÒ»¸ö¿ªÔ´µÄ¿ÍÕ»ÖÎÀíϵͳ£¬£¬£¬£¬£¬£¬£¬ÔÚ×°Öá¢ÉèÖá¢Ê¹ÓüòÆӵĻù´¡ÉÏÌṩÁËÔ½·¢¸»ºñµÄ¹¦Ð§¡£¡£¡£¡£¡£¡£ËüÊǴmavenµÄ¾µÏñµÄ¹¤¾ßÖ®Ò»£¬£¬£¬£¬£¬£¬£¬ÔÚÈ«Çò¹æÄ£ÄÚʹÓÃÆձ顣¡£¡£¡£¡£¡£

0x01 Îó²îÏêÇé

image.png

 

2020Äê10ÔÂ08ÈÕ£¬£¬£¬£¬£¬£¬£¬SonatypeÐû²¼Ç徲ͨ¸æ£¬£¬£¬£¬£¬£¬£¬Nexus Repository Manager 2Öб£´æÒ»¸öĿ¼±éÀúÎó²î£¬£¬£¬£¬£¬£¬£¬Îó²î¸ú×ÙΪCVE-2020-15012¡£¡£¡£¡£¡£¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷ÕßÄܹ»Ö´ÐÐĿ¼±éÀúÒÔ¶ÁÈ¡Ãô¸ÐÊý¾ÝÎļþ£¬£¬£¬£¬£¬£¬£¬²¢¶ÔÓû§¹ûÕæí§ÒâÎļþ¡£¡£¡£¡£¡£¡£µ«ÒªÊ¹ÓôËÎó²î£¬£¬£¬£¬£¬£¬£¬¹¥»÷Õß±ØÐè¾ßÓжÔNexus Repository Manager instanceµÄÍøÂç»á¼ûȨÏÞ£¬£¬£¬£¬£¬£¬£¬²Å»ªÉó²éÉèÖÃÎļþ»òÊܱ£»£»£»£»¤µÄÄÚÈÝ¡£¡£¡£¡£¡£¡£

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ¹Ù·½ÒÑÐû²¼Çå¾²¸üУ¬£¬£¬£¬£¬£¬£¬½¨Ò齫Nexus Repository Manager 2Éý¼¶µ½2.14.19×îа汾£º

ÏÂÔØÁ´½Ó£º

https://help.sonatype.com/repomanager2/download

0x03 ²Î¿¼Á´½Ó

https://support.sonatype.com/hc/en-us/articles/360051068253-CVE-2020-15012-Nexus-Repository-Manager-2-Directory-Traversal-2020-10-08

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15012

0x04 ʱ¼äÏß

2020-10-08  SonatypeÐû²¼Ç徲ͨ¸æ

2020-10-09  VSRCÐû²¼Ç徲ͨ¸æ

 

 

 

 

image.png