Safeguard
Vulnerability Analysis

Nexus Repository Manager Authenticated RCE via EL Injecti...

CVE-2020-10204 lets an authenticated Nexus Repository Manager user execute arbitrary code via EL injection. Here is what changed and how to respond.

Vikram Iyer
Security Researcher
7 min read

CVE-2020-10204 is an authenticated remote code execution (RCE) vulnerability in Sonatype Nexus Repository Manager 3, caused by improper handling of user-supplied Expression Language (EL) input in a privileged configuration feature. An attacker who holds a narrow, non-administrative Nexus privilege can craft a malicious EL statement that the server evaluates on the host operating system, resulting in arbitrary code execution in the context of the Nexus service account. Because Nexus Repository Manager typically sits at the center of an organization's build pipeline — brokering Maven, npm, Docker, PyPI, and NuGet artifacts — a successful exploit doesn't just compromise a single server. It hands an attacker a foothold from which to tamper with build artifacts, exfiltrate credentials stored in the repository configuration, or pivot deeper into the software supply chain.

CVE-2020-10204 is one of several authenticated and unauthenticated RCE issues Sonatype disclosed in Nexus Repository Manager 3 during this period, alongside CVE-2020-10199 and CVE-2020-10203. Together, they underscore a recurring theme in Nexus's architecture: features that let administrators define dynamic, expression-based logic — for filtering repository content, defining routing rules, or scripting automation tasks — are only as safe as the sandboxing around the expression evaluator itself. When that sandboxing is incomplete, "configuration" becomes "code execution."

What Makes CVE-2020-10204 an EL Injection Vulnerability

Nexus Repository Manager exposes functionality that lets privileged users write expressions to filter or select repository content dynamically — for example, to scope which artifacts a given role or routing rule applies to. That functionality evaluates user-supplied EL/JEXL-style expressions server-side. The flaw underlying CVE-2020-10204 is that the input passed into this evaluator was not adequately restricted, so a user who could reach that configuration surface could embed a crafted expression that broke out of the intended evaluation context and executed arbitrary Java code on the underlying host.

The critical detail — and the reason this is classified as an authenticated RCE rather than a pre-auth one — is that exploitation requires a valid Nexus account with a specific, limited privilege related to the affected feature. It does not require full system-administrator rights. That's a meaningful distinction for risk modeling: many organizations delegate scoped Nexus privileges to CI/CD service accounts, build engineers, or team leads who are not full admins, on the assumption that a narrower role carries narrower risk. CVE-2020-10204 broke that assumption. Any account holding the relevant privilege — deliberately granted or obtained through a separate compromise, such as leaked CI credentials or a stolen API token — could be leveraged into full remote code execution against the Nexus host.

Affected Versions and Components

  • Product: Sonatype Nexus Repository Manager 3 (NXRM3)
  • Affected releases: Versions prior to 3.21.2
  • Fixed in: Nexus Repository Manager 3.21.2
  • Vulnerable component: Server-side EL/expression evaluation used by a Nexus configuration feature that accepts privileged user input for content filtering
  • Prerequisite for exploitation: A valid, authenticated account holding the specific narrow privilege tied to the affected feature — not necessarily a full administrator role

Nexus Repository Manager 2.x is a separate, legacy product line and is not the affected codebase for this CVE; organizations still running NXRM2 should independently confirm their patch status against Sonatype's advisories for that product.

CVSS, EPSS, and KEV Context

Public vulnerability databases rate CVE-2020-10204 as a High-severity issue, consistent with the rest of the 2020 Nexus RCE cluster: full compromise of confidentiality, integrity, and availability on the host, reachable over the network, with low attack complexity and no user interaction required. The score sits below the 9.8–10.0 range reserved for unauthenticated, zero-click RCEs precisely because exploitation depends on possessing valid, privileged Nexus credentials — a real but lower bar than "unauthenticated attacker on the internet."

That authentication requirement also shapes its exploitation profile. CVE-2020-10204 has not been as widely weaponized in mass internet scanning as Nexus's earlier unauthenticated RCE (CVE-2019-7238), which was actively exploited by cryptomining campaigns targeting exposed instances. It does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing, and its EPSS likelihood score reflects the practical constraint that an attacker generally needs to first obtain or steal a privileged Nexus account. That said, "needs authentication" is a low bar in practice — leaked service-account tokens, weak passwords, SSO misconfigurations, and privilege creep from over-scoped CI/CD roles are all common ways attackers acquire exactly the access CVE-2020-10204 requires. Treat the "authenticated" qualifier as a mitigating factor, not a reason to deprioritize the fix.

Timeline

  • Sonatype identified and internally tracked the flaw as part of a broader review of expression-evaluation features across Nexus Repository Manager 3, alongside the related CVE-2020-10199 and CVE-2020-10203 issues disclosed in the same window.
  • Sonatype shipped Nexus Repository Manager 3.21.2, remediating the EL injection flaw along with the other issues in the same advisory cycle.
  • CVE-2020-10204 was assigned and published to the National Vulnerability Database (NVD) and Sonatype's own security advisories, documenting the affected version range (pre-3.21.2) and the fixed release.
  • Since disclosure, the CVE has remained a standard reference point in Nexus security hardening guidance and in software composition analysis (SCA) tooling that flags outdated repository manager deployments.

Remediation Steps

  1. Upgrade Nexus Repository Manager to 3.21.2 or later. This is the only complete fix. If you're running any version prior to 3.21.2, treat the upgrade as urgent — check your current version under Server Administration and Configuration in the Nexus UI, or via the /service/rest/v1/status API.
  2. Audit who holds the privilege tied to the affected content-filtering/expression feature. Apply least privilege: strip that capability from any account — human or service — that doesn't strictly need it, and never grant it by default to CI/CD automation accounts.
  3. Review Nexus audit logs for unexpected changes to content selectors, routing rules, or other expression-based configuration around the time you believe you may have been exposed, and for signs of process spawning or outbound connections from the Nexus host that don't match normal repository activity.
  4. Rotate credentials and tokens for the Nexus service account and any secrets accessible from the host — blob storage credentials, upstream repository proxy credentials, and signing keys — since RCE in the Nexus process context can expose everything the service account can reach.
  5. Take Nexus admin interfaces off the open internet. Restrict access to the admin UI and REST API to a VPN or trusted internal network, and enforce SSO/MFA for any account capable of modifying repository or security configuration.
  6. Re-scan your artifact repository after remediation. If there's any indication of compromise, don't just patch — verify the integrity of artifacts published or proxied through Nexus during the exposure window, since a compromised repository manager is a direct path to a poisoned software supply chain.

How Safeguard Helps

CVE-2020-10204 is a textbook example of why software supply chain security can't stop at scanning application dependencies — the infrastructure that stores and distributes those dependencies is itself part of the attack surface. Safeguard is built around that broader view.

Safeguard continuously inventories the tools in your software supply chain — including artifact repositories like Sonatype Nexus Repository Manager — and correlates their deployed versions against known vulnerabilities like CVE-2020-10204, flagging any instance still running a pre-3.21.2 release before it becomes an incident. Beyond version tracking, Safeguard helps enforce least-privilege access across the tools that make up your build and release pipeline, surfacing over-scoped service accounts and human users who hold sensitive privileges (like the content-selector permission at the heart of this CVE) they don't actually need — closing the exact gap that turns an "authenticated RCE" into a real-world breach.

Safeguard also gives security teams visibility into how build and repository infrastructure connects to the rest of the environment, so that if a tool like Nexus is ever compromised, the blast radius — credentials, signing keys, downstream consumers of published artifacts — is understood and contained quickly rather than discovered after the fact. For organizations running Nexus Repository Manager or similar package and artifact management systems, that combination of vulnerability awareness, privilege hygiene, and blast-radius mapping is what turns a disclosure like CVE-2020-10204 from a scramble into a routine patch cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.