CNVD-2021-32031

Vulnerability from cnvd - Published: 2021-04-30
VLAI Severity ?
Title
Sonatype Nexus Repository Manager外部实体注入漏洞
Description
Sonatype Nexus Repository Manager(NXRM)是美国Sonatype公司的一款Maven仓库管理器。 Sonatype Nexus Repository Manager产品存在外部实体注入漏洞,该漏洞使得具有Nexus Repository Manager管理员权限的攻击者可以以一种方式配置系统,访问系统文件,并与任何Nexus Repository Manager可以访问的后端或外部系统进行交互。
Severity
Patch Name
Sonatype Nexus Repository Manager外部实体注入漏洞的补丁
Patch Description
Sonatype Nexus Repository Manager(NXRM)是美国Sonatype公司的一款Maven仓库管理器。 Sonatype Nexus Repository Manager产品存在外部实体注入漏洞,该漏洞使得具有Nexus Repository Manager管理员权限的攻击者可以以一种方式配置系统,访问系统文件,并与任何Nexus Repository Manager可以访问的后端或外部系统进行交互。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description

目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://support.sonatype.com/hc/en-us/articles/1500000415082-CVE-2020-29436-Nexus-Repository-Manager-3-XML-External-Entities-injection-2020-12-15

Reference
https://nvd.nist.gov/vuln/detail/CVE-2020-29436
Impacted products
Name
Sonatype Nexus Repository Manager 3.*,<3.29.0
Show details on source website
To clipboard 

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-29436",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-29436"
    }
  },
  "description": "Sonatype Nexus Repository Manager\uff08NXRM\uff09\u662f\u7f8e\u56fdSonatype\u516c\u53f8\u7684\u4e00\u6b3eMaven\u4ed3\u5e93\u7ba1\u7406\u5668\u3002\n\nSonatype Nexus Repository Manager\u4ea7\u54c1\u5b58\u5728\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u4f7f\u5f97\u5177\u6709Nexus Repository Manager\u7ba1\u7406\u5458\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u4ee5\u4e00\u79cd\u65b9\u5f0f\u914d\u7f6e\u7cfb\u7edf\uff0c\u8bbf\u95ee\u7cfb\u7edf\u6587\u4ef6\uff0c\u5e76\u4e0e\u4efb\u4f55Nexus Repository Manager\u53ef\u4ee5\u8bbf\u95ee\u7684\u540e\u7aef\u6216\u5916\u90e8\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.sonatype.com/hc/en-us/articles/1500000415082-CVE-2020-29436-Nexus-Repository-Manager-3-XML-External-Entities-injection-2020-12-15",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-32031",
  "openTime": "2021-04-30",
  "patchDescription": "Sonatype Nexus Repository Manager\uff08NXRM\uff09\u662f\u7f8e\u56fdSonatype\u516c\u53f8\u7684\u4e00\u6b3eMaven\u4ed3\u5e93\u7ba1\u7406\u5668\u3002\r\n\r\nSonatype Nexus Repository Manager\u4ea7\u54c1\u5b58\u5728\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u4f7f\u5f97\u5177\u6709Nexus Repository Manager\u7ba1\u7406\u5458\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u4ee5\u4e00\u79cd\u65b9\u5f0f\u914d\u7f6e\u7cfb\u7edf\uff0c\u8bbf\u95ee\u7cfb\u7edf\u6587\u4ef6\uff0c\u5e76\u4e0e\u4efb\u4f55Nexus Repository Manager\u53ef\u4ee5\u8bbf\u95ee\u7684\u540e\u7aef\u6216\u5916\u90e8\u7cfb\u7edf\u8fdb\u884c\u4ea4\u4e92\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sonatype Nexus Repository Manager\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Sonatype Nexus Repository Manager 3.*\uff0c\u003c3.29.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-29436",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-17",
  "title": "Sonatype Nexus Repository Manager\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.