Closed imhunterand closed 4 months ago
Thanks @imhunterand for opening a pull request. The vulnerability you cite is implicated by the version of H2 currently included in release versions of Nexus Repository (see https://nvd.nist.gov/vuln/detail/CVE-2021-42392). We are aware of this association and have mitigating controls in place to prevent it from being relevant. Please review our Dependencies with No Impact disclosures page to see it and other affected dependencies.
Upgrading the version of H2 used by Nexus Repository is a far larger effort than is shown here and is currently on our roadmap for this year. Please subscribe to our release notes to know when it becomes available.
Lastly, Sonatype uses HackerOne to allow people like yourself to responsibly disclose security vulnerabilities. As you can appreciate, if this was a real RCE, disclosing this publicly before a fix is available in place would potentially put deployments all over the world at immediate risk with no way of solving the problem. If you believe you have found a security vulnerability, please use our Bug Bounty Program to disclose responsibly.
Description 🐛
Affected versions of this project
sonatype/nexus-public
are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).CWE-502
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H