Nexus Platform plugin does not perform permission checks allowing user with Overall/Read permission to connect to an attacker-specified URL.
Two of the three endpoints also lead to a Credentials leaking due to the presence of the credentialsIdparameter which can be used by an attacker to receive a request with username and password base64 encoded inside the headers as Basic Authentication.
Additionally, these HTTP endpoints do not require POST request, resulting in a cross-site request forgery (CSRF) vulnerability.
Nexus Platform plugin does not perform permission checks allowing user with Overall/Read permission to connect to an attacker-specified URL.
Two of the three endpoints also lead to a Credentials leaking due to the presence of the
credentialsIdparameter which can be used by an attacker to receive a request with username and password base64 encoded inside the headers as Basic Authentication.Additionally, these HTTP endpoints do not require POST request, resulting in a cross-site request forgery (CSRF) vulnerability.
Culprit NxiqConfiguration.groovy#L126 Nxrm2Configuration.groovy#L61 Nxrm3Configuration.groovy#L83
Recommendation
Links
Jira: https://sonatype.atlassian.net/browse/SEC-763 Build: https://jenkins.ci.sonatype.dev/job/integrations/job/jenkins/job/feature-snapshots/job/SEC-763-Vulnerabilities-Reported-by-Jenkins-Team/