CVE-2020-10204
published 2020-04-01CVE-2020-10204: Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
24.32%
97.6th percentile
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus | < 3.21.2 | 3.21.2 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_09;)
bytes
|22|action|22 3a 22| (HTTP POST body)
- →Exploit traffic arrives as an inbound HTTP POST request; detect by matching two byte patterns in the POST body: |22|action|22 3a 22| followed immediately (distance:0) by |22 3a 5b 22 24 5c 5c| — the second pattern represents the EL injection prefix '$\'
- →Rule should be deployed at the Perimeter, Internal, and on SSL-decrypting inspection points to catch both cleartext and TLS-wrapped exploitation attempts
- →The vulnerability is an Expression Language (EL) Injection leading to blind RCE in Sonatype Nexus Repository Manager 3 versions before 3.21.2
- ·The Snort/Suricata rule (sid:2031190) targets inbound traffic only (flow:established,to_server); ensure your sensor is positioned to inspect inbound HTTP/HTTPS to Nexus Repository Manager hosts
- ·SSL/TLS decryption is required for this rule to fire on HTTPS-protected Nexus instances
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
osv·2020-04-14
CVE-2020-10204 [HIGH] Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
GHSA
Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
ghsa·2020-04-14
CVE-2020-10204 [HIGH] CWE-20 Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
Suricata
ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)
suricata·2020-11-09·CVSS 7.2
CVE-2020-10204 [HIGH] ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)
ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, update
No public exploits indexed.
No writeups or analysis indexed.
2020-04-01
Published