version : Sonatype Nexus Repository 3.60.0
summary
when configured Sonatype Nexus Repository IQ Server
If you do not have IP access control as shown in the document below,
Port scanning using SSRF is possible.
https://help.sonatype.com/en/securing-nexus-repository-manager.html#limit-ips-that-can-be-reached-from-your-nexus-repository-host
So I want to use a method that limits the ip that hosts with Nexus Repository 3 installed in the document can access, how can I do it?
Also, is there a way not to expose error messages when an error occurs?
because there is a possibility that an attacker can exploit through error messages.
vulnerability procedure
-
Log in as an admin account in the Sonatype Nexus Repository and access the IQ Server Registration feature.
-
Verify that you can use the verify connection function to test connectivity with the server entered into the IQ Server URL
-
Only http:// and https:// schemes are allowed at the URL of the IQ Server, and for example, the response value is as below
-
At this time, demo.example.com has ports 21 and 22 open, and the verify connection function creates :21,: 22 after demo.example.com and requests it to see the open ports through response values that differ from previous requests. This shows that there exists an SSRF vulnerability that allows port scanning with the privileges of the server on which Sonatype Nexus Repository 3.60.0 version is installed.