cbcvebase.
CVE-2020-10204
published 2020-04-01

CVE-2020-10204: Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.

PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
24.32%
97.6th percentile
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonatypenexus< 3.21.23.21.2

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_09;)
bytes
|22|action|22 3a 22| (HTTP POST body)
  • Exploit traffic arrives as an inbound HTTP POST request; detect by matching two byte patterns in the POST body: |22|action|22 3a 22| followed immediately (distance:0) by |22 3a 5b 22 24 5c 5c| — the second pattern represents the EL injection prefix '$\'
  • Rule should be deployed at the Perimeter, Internal, and on SSL-decrypting inspection points to catch both cleartext and TLS-wrapped exploitation attempts
  • The vulnerability is an Expression Language (EL) Injection leading to blind RCE in Sonatype Nexus Repository Manager 3 versions before 3.21.2
  • ·The Snort/Suricata rule (sid:2031190) targets inbound traffic only (flow:established,to_server); ensure your sensor is positioned to inspect inbound HTTP/HTTPS to Nexus Repository Manager hosts
  • ·SSL/TLS decryption is required for this rule to fire on HTTPS-protected Nexus instances

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.