BugTraq
SEC Consult SA-20180208-0 :: Multiple Cross-Site Scripting Vulnerabilities in Sonatype Nexus Repository Manager OSS/Pro Feb 08 2018 07:15PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20180208-0 >
=======================================================================
title: Multiple Cross-Site Scripting Vulnerabilities
product: Sonatype Nexus Repository Manager OSS/Pro
vulnerable version: <=2.14.5, <=3.7.1
fixed version: 2.14.6, 3.8.0
CVE number: CVE-2018-5306, CVE-2018-5307
impact: Medium
homepage: https://www.sonatype.com/
found: 2017-12-12
by: Werner Schober, Daniel Ostovary (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"At Sonatype we have a long history of partnership with the world of open
source software development. From our humble beginning as core contributors
to Apache Maven, to supporting the worldâ??s largest repository of open source
components (Central), to distributing the world's most popular repository
manager (Nexus), we exist for one simple reason; to help accelerate software
innovation."

Source: https://www.sonatype.com/about-sonatype

Business recommendation:
------------------------
The Sonatype Nexus Repository Server is affected by multiple XSS vulnerabilities
which could be used by an attacker to execute JavaScript code in the user's
browser.

The vendor provides a patch for both version 2 and 3 of the product which should
be installed immediately.

It is recommended to conduct a thorough security review by IT security
professionals in order to identify potential other security issues.

Vulnerability overview/description:
-----------------------------------
1) Reflected XSS vulnerability
The parameters "repoId" and "format" of the "healthCheckFileDetail" function
are vulnerable to reflected XSS. If the attacker can lure a user into
clicking a crafted link he could execute arbitrary JavaScript code.
In case the user has sufficient permissions, an attacker can create arbitrary
(administrative) users or perform stored XSS attacks (see 2).

2) Stored XSS vulnerabilities
The application is vulnerable to multiple stored XSS vulnerabilities,
which are described in the following list.

2.1) The first one is located in the "File Upload" functionality of
the "Staging Upload". Uploading a file with JavaScript code
in its name allows to store JavaScript code, which gets
triggered every time the file name is shown (e.g. in "Repositories").

2.2) The second stored XSS vulnerability is more precisely
being considered as stored DOM injection. This vulnerability
affects the functionality of creating a new user. When doing
so it is possible to inject JavaScript/HTML code in the username,
which later gets rendered/executed every time the username is
displayed.

2.3) The third stored XSS vulnerability is also a stored DOM injection.
It affects the "IQ Server Connection"/"IQ Server Dashboard"
functionality. The "IQ Server URL" field in the "IQ Server
Connection" allows to inject JavaScript/HTML code into the
menu bulletpoint "IQ Server Dashboard".

The vendor provided the following CVE numbers:
* CVE-2018-5306 - covers the XSS vulnerabilities in Nexus 3
* CVE-2018-5307 - covers the XSS vulnerabilities in Nexus 2

Proof of concept:
-----------------
1) Reflected XSS vulnerability
By luring an attacker into clicking the following link, an arbitrary
JavaScript payload will be executed:

https://example.com/nexus/service/siesta/healthcheck/healthCheckFile
Detail/.../index.html?repoId=public&format=<a href=javascript:alert(1)>sectest</test>

Vulnerable parameters:
-) repoId
-) format

2) Stored XSS vulnerabilities
***Please note that only users with access to the respective functionalities
are susceptive to the following stored XSS vulnerabilities.***

2.1)
The staging upload allows an attacker to upload a file, which contains a
JavaScript payload in the filename. An example for a filename containing a
"malicious" payload is as follows: "<img src=x onerror=alert(1)>.jpg"

This file can be uploaded flawlessly and everytime the filename is displayed,
the JavaScript payload gets executed.

2.2)
An attacker is able to create a new user, which contains a malicious JavaScript
payload in the username. As an example the following username can be used:

"EvilAdmin<img/src='/nexus/static/icons/glyph_help.png'/onload='alert(1)
'/width='0'"

The payload is executed everytime the username is displayed (e.g. Login as
EvilAdmin -> Create Repository -> Access repository via "Repositories" ->
JavaScript code is being executed)

2.3)
The nexus server allows to setup an IQ server connection. The server name is not
validated and therefore allows the permanent injection of JavaScript code. To
demonstrate the vulnerability the following IQ server URL can be set:

'https://example.com'</a><img onload=alert(1)
src="/nexus/static/icons/glyph_help.png" width="0"

The payload is executed everytime someone logs into the application.

Vulnerable / tested versions:
-----------------------------
These vulnerabilities have been found in the version 2.13.0-01. However none of
the patch notes following the version 2.13.0-01 indicate a fix of these
vulnerabilities.

Vendor contact timeline:
------------------------
2017-12-13: Contacting vendor through security (at) sonatype (dot) com [email concealed] (PGP encrypted)
2017-12-13: Sonatype responded that they are investigating the reported issues.
2017-12-15: Sonatype informed us that they are prioritizing a fix for all
three issues disclosed. The current estimate for an available
release is in the middle of January
2018-01-04: Sonatype followed up with more details and offered to request
CVEs for the vulnerabilities. SEC Consult accepted that offer
and request the affected versions as well as a planned release
date.
2018-01-17: Sonatype replied that they identified more issues in other products
(Nexus Server 2 and Nexus Server 3) with the same root cause and
therefore need more time to fix the issues. The assigned CVE
is CVE-2018-5307.
2018-01-25: Vendor provides updated information for affected version 2
2018-02-06: Vendor sends further information on affected versions & CVE numbers
2018-02-08: Vendor makes public announcement of security issues
2018-02-08: Public release of SEC Consult security advisory

Solution:
---------
The identified vulnerabilities have been fixed in version 2.14.6 and 3.8.0.

The latest versions can be downloaded at the following URLs linked from the
vendor's security advisory.

Nexus Repository Manager version 3:
https://support.sonatype.com/hc/en-us/articles/360000134968 (CVE-2018-5306)

Nexus Repository Manager version 2:
https://support.sonatype.com/hc/en-us/articles/360000134928 (CVE-2018-5307)

Workaround:
-----------
No workaround available.

Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Schober, D. Ostovary / @2018

0? *?H?÷
 ?0?10
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 *?H?÷
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
 *?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
 *?H?÷
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I +?þ%³`??5T«´0
 *?H?÷
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301000000Z
200229235959Z0?W1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?çââ³×p¼¬ÉÓ#ëäoú=1X ÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½Ë Z|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F ¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥ ¢áorà­ ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U
G?gx.§~¢Òü¥El?%0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
 *?H?÷
 ?CÑË×úpÿtR
ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þ Úøw?P[óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
(D'I5Ëé
{Ë­à¦]FϨújRO^pº=õ ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØ ØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»º x1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
180208191547Z0/ *?H?÷
 1" µ;?ÿ]ÅZQÈ7v PëgëW?´?o¾9/ðÃ¥C0l *?H?÷
 1_0]0  `?He*0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 *?H?÷
?áO?~KÜüqíã N?Å?JÒJÍ¥ÒÖ]зÙ$?ØØ{,!??lr¿?Ggöjèß0;[W¬­/Iø?Ï?LGò"8¾r?³ÇØÑJûâ^xƲ
îé±ý??AèL\??³g·$'`~¶uü?t
?xÞ??Òmpe·\?Æ'gö>®??w?4?egÚ?oé !?©>3ÂÕ¿ÕpÇ&»hãùQSe£Ë ñë?e³X>GÎ,L¹zòd.¢X
+Ö<6¾¾?à g?$HrïC:®Íjvpw·??>2N¼GWÿ^£P~Ï?¢LèÑÛy[ÕuS

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus