CVE-2020-10199
published 2020-04-01CVE-2020-10199: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.06%
99.9th percentile
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus | < 3.21.2 | 3.21.2 |
Detection & IOCsextracted from sources · hover to see the quote
command{"name": "internal", "online": "true", "storage": {"blobStoreName": "default", "strictContentTypeValidation": "true"}, "group": {"memberNames": ["$\\A{3*3333}"]}}↗
- →A 400 HTTP response containing 'Member repository does not exist: A9999' (or similar numeric result of an EL arithmetic expression) indicates successful EL expression evaluation — a strong sign of exploitation. ↗
- →A 400 HTTP response body containing 'java.lang.UNIXProcess@' or 'java.lang.ProcessImpl' indicates successful OS command execution via EL injection. ↗
- →The exploit bypasses CSRF protection by supplying a random User-Agent header instead of the expected NX-ANTI-CSRF-TOKEN; monitor for POST requests to the repositories API with mismatched or absent CSRF tokens alongside unusual User-Agent strings. ↗
- →Check the Server response header for Nexus versions at or below 3.21.1 to identify unpatched instances; the header format is 'Nexus/<version> (OSS)'. ↗
- →FOFA/Shodan fingerprint for exposed Nexus Repository Manager instances: search for title="nexus repository manager". ↗
- ·This is a post-authentication vulnerability; valid credentials (any privilege level) are required to exploit it. Default credentials used in PoC tools are admin/admin123 and admin/password. ↗
- ·The Nuclei template uses hardcoded default credentials (admin/admin123); detections based solely on credential use may miss exploitation with non-default credentials. ↗
- ·There is a public claim that this vulnerability may also be exploitable pre-authentication; this has not been confirmed in the reviewed sources. ↗
- ·The Metasploit module targets Linux (x86/x64) and uses CmdStager with curl/wget flavors; Windows targets may behave differently (Python PoC uses cmd.exe). ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Nexus Repository Manager 3 - Remote Code Execution
osv·2020-04-14
CVE-2020-10199 [HIGH] Nexus Repository Manager 3 - Remote Code Execution
Nexus Repository Manager 3 - Remote Code Execution
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
GHSA
Nexus Repository Manager 3 - Remote Code Execution
ghsa·2020-04-14
CVE-2020-10199 [HIGH] CWE-917 Nexus Repository Manager 3 - Remote Code Execution
Nexus Repository Manager 3 - Remote Code Execution
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
VulnCheck
Sonatype Nexus Repository Remote Code Execution Vulnerability
vulncheck·2020·CVSS 8.8
CVE-2020-10199 [HIGH] CWE-917 Sonatype Nexus Repository Remote Code Execution Vulnerability
Sonatype Nexus Repository Remote Code Execution Vulnerability
Sonatype Nexus Repository contains an unspecified vulnerability that allows for remote code execution.
Affected: Sonatype Nexus Repository
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2020-10199; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2020-10199; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-12&host_type=src&vulnerability=cve-2020-10199; https://dashboard.shadowserver
CISA
Sonatype Nexus Repository Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2020-10199 [HIGH] CWE-917 Sonatype Nexus Repository Remote Code Execution Vulnerability
Vulnerability: Sonatype Nexus Repository Remote Code Execution Vulnerability
Affected: Sonatype Nexus Repository
Sonatype Nexus Repository contains an unspecified vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-10199
Remediation Due Date: 2022-05-03
No detection rules found.
Exploit-DB
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
exploitdb·2021-01-06·CVSS 8.8
CVE-2020-10199 [HIGH] Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
---
# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
#
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3
import sys
import base64
import requests
URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='
Exploit-DB
Nexus Repository Manager - Java EL Injection RCE (Metasploit)
exploitdb·2020-04-17·CVSS 8.8
CVE-2020-10199 [HIGH] Nexus Repository Manager - Java EL Injection RCE (Metasploit)
Nexus Repository Manager - Java EL Injection RCE (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Nexus Repository Manager Java EL Injection RCE',
'Description' => %q{
This module exploits a Java Expression Language (EL) injection in Nexus
Repository Manager versions up to and including 3.21.1 to execute code
as the Nexus user.
This is a post-authentication vulnerability, so credentials are required
to exploit the bug. Any user regardless of privilege level may be used.
Tested against 3.21.1-01.
},
'Author' => [
'Alvaro Muñoz', # Discovery
'wvu' # Module
],
'References' => [
['CVE', '2020-10199'],
['URL', 'https://securitylab.github.com/advisories/GHSL-2020
Nuclei
Sonatype Nexus Repository Manager 3 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-10199 [HIGH] Sonatype Nexus Repository Manager 3 - Remote Code Execution
Sonatype Nexus Repository Manager 3 - Remote Code Execution
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection
Template:
id: CVE-2020-10199
info:
name: Sonatype Nexus Repository Manager 3 - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patches or upgrade to a non-vulnerable version of Sonatype Nexus Repository Manager 3.
reference:
- https://twitter.com/iamnoooob/status/1246182773427240967
- https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
- https://nvd.nist.gov/vuln/detail/CVE-
Metasploit
Nexus Repository Manager Java EL Injection RCE
metasploit
Nexus Repository Manager Java EL Injection RCE
Nexus Repository Manager Java EL Injection RCE
This module exploits a Java Expression Language (EL) injection in Nexus Repository Manager versions up to and including 3.21.1 to execute code as the Nexus user. This is a post-authentication vulnerability, so credentials are required to exploit the bug. Any user regardless of privilege level may be used. Tested against 3.21.1-01.
http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.htmlhttps://cwe.mitre.org/data/definitions/917.htmlhttps://support.sonatype.com/hc/en-us/articles/360044882533http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.htmlhttps://cwe.mitre.org/data/definitions/917.htmlhttps://support.sonatype.com/hc/en-us/articles/360044882533https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10199
2020-04-01
Published
2021-11-03
Added to CISA KEV
Exploited in the wild