Nexus Repository Manager 3
CVE-2020-11753
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable).
AnalysisAI
An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable). Affected products include: Sonatype Nexus Repository Manager 3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Nexus Repository Manager 3
View allSonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution. Rated high severity (CVSS
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. Rated high severity (CVSS 8.2
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2). Rated medium severity (CVSS 6
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2). Rated medium severity (CVSS 5
Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control. Rated medium severity (
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today