{"id":"CVE-2019-15893","details":"Sonatype Nexus Repository Manager 2.x before 2.14.15 allows Remote Code Execution.","modified":"2026-04-11T12:42:13.676767Z","published":"2019-10-16T14:15:13.697Z","references":[{"type":"ADVISORY","url":"https://support.sonatype.com/hc/en-us/articles/360035055794"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sonatype/nexus-public","events":[{"introduced":"0"},{"fixed":"489b60472df89ad90eac84cc46995a54dfe2fb1b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.14.15"}]}}],"versions":["release-2.14.10-01","release-2.14.11-01","release-2.14.12-02","release-2.14.13-01","release-2.14.14-01","release-2.14.4-02","release-2.14.4-03","release-2.14.5-02","release-2.14.9-01"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"plugins/restlet1x/nexus-restlet1x-plugin/src/test/java/org/sonatype/nexus/rest/repositories/RepositoryCreateUpdateTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-146653e6","digest":{"line_hashes":["12780703194987242122408587337175139756","119992880229045750479738926726483107882","164765667585103506325822005019133177019","111571833343265029220014207606410981192","252111221508343591733821050294052358545","268766355016040269225303207747102139105","50890304466927810091053656999260141745","225047341868785069140241308674867068413","241517412553098932566432634097774500346","261879521055557538535369901976998273446","173005466941965346991184213304159256952","136674298961833995103090883035517226250","218593278205916317427654572709980811340","106623552696791034587455906739874389472","10342762160046207220349575908851219094","154777086436144182611920872098895973194","4109921763431648561673712397683377642","258990439153273167913635818763454319312","97674431907433659741526665316892769810","76494831128288211097313445550657169221","105060529775130789335534758538246262662","185385792889360620710432151373773384939","285362644412811515790807890479299427900","255704336602304827257787308495247518258","84063056392748403412602170545369609070","261068842867325456986197734802616837897","321818978715254357463241212514283893704","306207101796282328298465124501364290472"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/maven/ArtifactStoreHelperTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-2567df89","digest":{"line_hashes":["257233591535040492049908186032893192903","89057165887116429458566631780823194236","88855386493617739074671206325727210928","146493662424638036021424454891403184378","296259028355897990462471063346658217712","11073700477027115186070146312126710291","265364290288553384243554975617862638179","216694397706031482385285227482250947674","336024496348715501048519434052345210263","80133985438918621960524437093391418994","33111279457432503704639471004635561500","151109667621839798202664793668136944216","327898638264790536776144869466121091638","33732137972221532853352711048630186414","163758196830730163651462364439106209557","233644768048411246926483557665083418730","15557277864645540091112725634710614741","218639630138801788847100463706437320679","182604737389609705432199988023534903797","26427861118969712708226802186612900416","34523078929738487767636172970646060402","194758770432896394713686713838382223015","44056065269639759117761237932858160151","223303444557585306099260455434551999579","272253330462784816361408313681091391856","302501302940239767016688914208037068872","233816743139037363007599196061914749482","325378366488737329494088776829156588680","320803021959055706117860706701117744034","108499424851836096698463973677835577872","69853910442435976456140087270549848575","331337881442583101378939281555586147716","114386406937477291804927053594923710544"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"storeArtifactPom","file":"components/nexus-core/src/main/java/org/sonatype/nexus/proxy/maven/ArtifactStoreHelper.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-2a20b536","digest":{"function_hash":"104295469020247707921783324011282301137","length":662},"signature_type":"Function"},{"deprecated":false,"target":{"function":"getRepositoryAppModel","file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/repositories/RepositoryListPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-2b22531d","digest":{"function_hash":"69312321867342350571611893747635005852","length":1993},"signature_type":"Function"},{"deprecated":false,"target":{"function":"getCleanCommand","file":"plugins/yum/nexus-yum-repository-plugin/src/main/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutor.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-66a8a034","digest":{"function_hash":"172350066266900041546365483964162514138","length":570},"signature_type":"Function"},{"deprecated":false,"target":{"function":"exec_notAllowed","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-6d36be5a","digest":{"function_hash":"263313627747834187226904661301946100033","length":113},"signature_type":"Function"},{"deprecated":false,"target":{"function":"testUpdateLocalStorage","file":"plugins/restlet1x/nexus-restlet1x-plugin/src/test/java/org/sonatype/nexus/rest/repositories/RepositoryCreateUpdateTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-91302400","digest":{"function_hash":"258513961364860272829575308769527740953","length":646},"signature_type":"Function"},{"deprecated":false,"target":{"function":"exec_createRepoNoPath","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-961ea8e9","digest":{"function_hash":"235673766160498618245182934890518822184","length":211},"signature_type":"Function"},{"deprecated":false,"target":{"function":"exec_pathNotAllowed","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-997cc53b","digest":{"function_hash":"138408105637553158003035068036020878854","length":106},"signature_type":"Function"},{"deprecated":false,"target":{"function":"exec_extraConfigNotAllowed","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-a0797dd5","digest":{"function_hash":"163511726886545557378422131249019410950","length":125},"signature_type":"Function"},{"deprecated":false,"target":{"function":"classifierNotPassedOnGeneratedPomAndClassifiedArtifactDeploy","file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/maven/ArtifactStoreHelperTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-a087b46b","digest":{"function_hash":"162391901474894070898850017487122079789","length":1010},"signature_type":"Function"},{"deprecated":false,"target":{"file":"components/nexus-core/src/main/java/org/sonatype/nexus/proxy/maven/ArtifactStoreHelper.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-a3b91da6","digest":{"line_hashes":["227312002003526492147611207306262285242","215977110320705006136905603507402748674","172778496945226817443969630407695007173","51296084056914838432964146291797645749","312619117751778502052836849364166638167","94050658746785825166769156376520214596","221610916858653688718010593364033385034","119198840519285789606902588645646353775","215043148234142652977012500195963587964","255295273671831800483979990842558659096","312244941245741437995995935923220501944","6001716700364846661263524937695972054","19291259963850255875958399487929480760","249724629327386758214747087561967670747","11069816578579129127695184476044899285","212600841954317808711628839023776873762","315886843738188693527656018012573139804","165973502837095517175839603751053583237","137438416760213160838880275426228724672","316356895339340777891537568259037509117","288325582268656744826123061702298495250","289274405146105175498742404644998016050","36870282057294086939742285418140359524","97359531809243545114553745824234866765","284881759433542729382784343180136522404","232797651356207958722891157267498636920","9890653838080834197689747842638253403","105536070596357100236638155629489612823"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/artifact/AbstractArtifactPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-add7537b","digest":{"line_hashes":["135446250720312826859013384011908963725","13648173170503663365227531421387692156","152579213994579058630801336678983826918","167034749595479127073109661217624096661","109376297401973223206138376896982165064","234766845086949185017271560236657066823","318179815116142077164374489055369313060","289357787561168435135543295071996498437","269214590282390752198698923465214351154","339778147086632868307824314511057232319","153178705443113598128252883574468820920","337969573490069090033753290701774653670","30800749679817868572977217617147515340"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/repositories/AbstractRepositoryPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-b147628a","digest":{"line_hashes":["82881584351501130838962572669862513772","356180106707504265739659867689730174","309138483996268119294065139784249824767","141544437470277596941746858606345623662","94541914639273657434577725128759537252","206703393304413860392194374306274557533","145209828105451572560442012595821156591","38304189149150743316672331589954315148","331179735154534243866700777918231584715","15424501167384925780373598474651287801","267493099170476464872093421616710327844","258642515380724266732010819026879618955","8403852627812094612268273881780402119","240195119909471697440053831251025400822","16062439222812699693472463806865371048","202061924531727396392209042317743987289","167265673542048536902244420707280386197","137285495397881327819823921656808005965","228613598094691728275923647983103728233","142319748263105798143951161774814956823","186737764664567959528083258334107546246","77235372371609092527937097378320071354","107613518519920115380105652121105549743"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"storeArtifact","file":"components/nexus-core/src/main/java/org/sonatype/nexus/proxy/maven/ArtifactStoreHelper.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-b4efcf64","digest":{"function_hash":"319329091171029038843265705296278487761","length":532},"signature_type":"Function"},{"deprecated":false,"target":{"file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/repositories/RepositoryPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-b8aff72c","digest":{"line_hashes":["207626935658679728182016577869257895632","78318196466639041577361347253749409809","155298700928979690052968150097619710419","311320615819038673211302221289739957995"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"put","file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/repositories/RepositoryPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-bd8bb17b","digest":{"function_hash":"19897440089320210071270442116105296154","length":4723},"signature_type":"Function"},{"deprecated":false,"target":{"function":"storeArtifactWithGeneratedPom","file":"components/nexus-core/src/main/java/org/sonatype/nexus/proxy/maven/ArtifactStoreHelper.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-bfc6daf1","digest":{"function_hash":"194529764783094490419743976237896971818","length":1497},"signature_type":"Function"},{"deprecated":false,"target":{"file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-ceae67c5","digest":{"line_hashes":["4718466114435552420053898585754256204","294569160639266492025423768766008011164","275828669486933041944202163887727745834","46258124513253928507831950422498110263","57297909865526848101280817087606692762","157496887067640657455580014428412238929","32773266740231317998319754863340410097","115291408736062177946800855108468538093","100528509604774143404163197826357173625","5819762082772116769608735230739135064","1995656962635338407043689112022506275","309167792176871268128941739903050078862","243435887358818150885657557579833067668","292913709474986032301553745228562722173","276629026034656947067097517570298058354","335826754344143965349136800754796846109","323081283857130583622834775812638532065","239417306829230428294090973003703446709","272615288823647938730377475750397014554","210544314505273640352290978400541086307","152601023816661282461164865369372080011","228314365806584091850550793390278066610","119545532442727507681067454607946654374","221817725009768477514216243443822582714","320784277954207062422306344297362532893","133226687017414402904243625462111559793","22751951945025680688931213917430148971","225698757420087600327130979594497399355","64958469983741343233864718658737281678","220226229146289262460375764781538154914","332374264426114283921593539417209470894","160068606492615170763260382563483250233","162650147098792209260459976436495765936","145412600127143394870167624464015261590","134167916110305203678499491700037431683","284365177453182028153427671086741230867","63458575795708400177449765842933880471","231452518724932888364948656973293227810","249878325986550098296994612453396394107","72020541404831602310577666165558753262","37753608580459173075836084652357915859","155412509272831290401408332624696369838","156433056252924861170702001255896322418","235687535546274586809578059511082565673","44888163921468957670806495034960065865","161793732855923388391581039945733880859","195813401811980562509884700895853458098","257079860610597120047644803819496382871","13705746705145822800365838064622610320","335086609961947086653259027857933132529","46448514865936389784180615176508673681","262230429527015475133134000897629994202"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"exec_mergeRepoNoPath","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-d0ff01c8","digest":{"function_hash":"139268716473643036958249549333349438833","length":210},"signature_type":"Function"},{"deprecated":false,"target":{"function":"upload","file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/artifact/AbstractArtifactPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-d97072d4","digest":{"function_hash":"320181693873818283323850032066449243282","length":2980},"signature_type":"Function"},{"deprecated":false,"target":{"function":"exec_createRepo","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-db5d8c5e","digest":{"function_hash":"110205799761284068799814265964281687156","length":104},"signature_type":"Function"},{"deprecated":false,"target":{"file":"plugins/yum/nexus-yum-repository-plugin/src/main/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutor.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-dbdeb47f","digest":{"line_hashes":["211818035770911512755381516039255505577","169920791261384304517448872814927322165","140632508641321322247256831535520492272","79438030509956956564300819475348786680","74655792957163467884571076005042578844","122530615129361105168126933169422146586","233066185400676411824464760094776171213","315025312004316908898623186024499401752","5705234669123882595285226146194256791","186600109184910033107611283091900977475","32893103733593114125280905041768815310"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/repositories/RepositoryListPlexusResource.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-debc4856","digest":{"line_hashes":["320808408291151097437006020918424407677","187950974340819534794052832669313867961","77248681399569035814036987333203564997","290665643147687411206040848451305380354","103606942451157542590274942439762515675","14915903016733267043929894943001126970","199500374616239342769928772033651076875","148176911615548946612781175893478516877","183023404809720640890197250974676149125","96730057406112247696500168467903755629","308353224814476268588311656556351075553","161647142549876971983802587188545651192","307462328104779206551173199646354563129","41968197821121662143683305263660877473","308951688395658228998698483119884405398","179433806614324952529981293564117583509","35270042090221102518933590207729769414","202040980612610234159434507033449447344","134135101483976159441434806190778128753","74266864580634547795333231538836627837","113184694011022325626640354911785825082","86100355803659288686562288509159572451","238393149604357144086101353978560278469","144508970051601317052665661794840917469","15568919661356146863921859332295219456","321779321293440148365535380317333297186","287014642937827708673004920337271462136","115147897478570647340788076684879588511","79795012970708123676812247411079476298","122432188637746371412571576360006500927","275557442759647888488263874738653979689","35451277417142607214878653156704762900","274525598516814222267261911248031819230","232115953813767035592606755226627194196","60177331178536974002956852098080741541","127042425180556918219487244935607954360","157723250956281506259613252279656208361","247521916427723023072251955547678869418","154564704401247198348175343961391247903","141666908359445257944825820739646093975","200086828786685670108573319769271784734","183781804858641206224036875147641787253","144455969540979013168231303102572811678","338943254675799054998128175390425666259","210121661337801791118876863919537853125","198409452616720783652123052114183790206","246836327133414292018368452663425592701","136758178767451633901602766467379022463","41897789358129345148417082547244659256","165354406038351632235866515181660738370","89498185958266576520271486516935887290","30330926789435323820679146849336449993","297322463568484686514454781084342062272","238682021878084933906445029673792994702","334693968316991656543264749931195745926","86241738292148568230546388358642541134","52282757800389556608741031292743026052","327876742066380531556094039228082305389","22370407264725408056041933678670526097","165852680974245350008521529695592723029","166008656923277551725499198526234072294","113307627636371364793822929762383582558","90991622260519811412340994639814182770","267954830070459470847894174007923659725","81727236691027992100847084744107935071","16129770818484018021088334018154008394","30996797508586769522281939620616860806"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"exec_mergeRepo","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-fa1f41dd","digest":{"function_hash":"338785222253050448178147748399853338974","length":103},"signature_type":"Function"},{"deprecated":false,"target":{"function":"setup","file":"plugins/yum/nexus-yum-repository-plugin/src/test/java/org/sonatype/nexus/yum/internal/task/CommandLineExecutorTest.java"},"signature_version":"v1","source":"https://github.com/sonatype/nexus-public/commit/489b60472df89ad90eac84cc46995a54dfe2fb1b","id":"CVE-2019-15893-fc6456d0","digest":{"function_hash":"32060631455472272243926380755027497309","length":249},"signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15893.json","vanir_signatures_modified":"2026-04-11T12:42:13Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}