cbcvebase.
CVE-2020-10199
published 2020-04-01

CVE-2020-10199: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.06%
99.9th percentile
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

Affected

1 ranges
VendorProductVersion rangeFixed in
sonatypenexus< 3.21.23.21.2

Detection & IOCsextracted from sources · hover to see the quote

url/service/rapture/session
url/service/rest/beta/repositories/bower/group
url/service/rest/beta/repositories/go/group
cookieNX-ANTI-CSRF-TOKEN=1
command{"name": "internal", "online": "true", "storage": {"blobStoreName": "default", "strictContentTypeValidation": "true"}, "group": {"memberNames": ["$\\A{3*3333}"]}}
port8081
otherjava.lang.UNIXProcess@
otherjava.lang.ProcessImpl
  • A 400 HTTP response containing 'Member repository does not exist: A9999' (or similar numeric result of an EL arithmetic expression) indicates successful EL expression evaluation — a strong sign of exploitation.
  • A 400 HTTP response body containing 'java.lang.UNIXProcess@' or 'java.lang.ProcessImpl' indicates successful OS command execution via EL injection.
  • The exploit bypasses CSRF protection by supplying a random User-Agent header instead of the expected NX-ANTI-CSRF-TOKEN; monitor for POST requests to the repositories API with mismatched or absent CSRF tokens alongside unusual User-Agent strings.
  • Check the Server response header for Nexus versions at or below 3.21.1 to identify unpatched instances; the header format is 'Nexus/<version> (OSS)'.
  • FOFA/Shodan fingerprint for exposed Nexus Repository Manager instances: search for title="nexus repository manager".
  • ·This is a post-authentication vulnerability; valid credentials (any privilege level) are required to exploit it. Default credentials used in PoC tools are admin/admin123 and admin/password.
  • ·The Nuclei template uses hardcoded default credentials (admin/admin123); detections based solely on credential use may miss exploitation with non-default credentials.
  • ·There is a public claim that this vulnerability may also be exploitable pre-authentication; this has not been confirmed in the reviewed sources.
  • ·The Metasploit module targets Linux (x86/x64) and uses CmdStager with curl/wget flavors; Windows targets may behave differently (Python PoC uses cmd.exe).

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.