GHSA-g2f6-v5qh-h2mq

Source

https://github.com/advisories/GHSA-g2f6-v5qh-h2mq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-g2f6-v5qh-h2mq/GHSA-g2f6-v5qh-h2mq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g2f6-v5qh-h2mq

Aliases

CVE-2020-10199

Published

2020-04-14T15:27:05Z

Modified

2025-10-22T19:17:19.496144Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H CVSS Calculator

Summary

Nexus Repository Manager 3 - Remote Code Execution

Details

Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2020-04-01T19:15:00Z",
    "github_reviewed_at": "2020-04-14T15:26:13Z",
    "cwe_ids": [
        "CWE-917"
    ]
}

References

Affected packages

Maven / org.sonatype.nexus:nexus-extdirect

Package

Name: org.sonatype.nexus:nexus-extdirect; View open source insights on deps.dev
Purl: pkg:maven/org.sonatype.nexus/nexus-extdirect

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.21.2

Affected versions

3.*

3.0.0-03

3.0.1-01

3.0.2-02

3.1.0-04

3.2.0-01

3.2.1-01

3.3.0-01

3.3.1-01

3.3.2-02

3.4.0-02

3.5.0-02

3.5.1-02

3.5.2-01

3.6.0-02

3.6.1-02

3.6.2-01

3.7.0-04

3.7.1-02

3.8.0-02

3.9.0-01

3.10.0-04

3.11.0-01

3.12.0-01

3.12.1-01

3.13.0-01

3.14.0-04

3.15.0-01

3.15.1-01

3.15.2-01

3.15.3-01

3.16.0-01

3.16.1-02

3.16.2-01

3.17.0-01

3.17.1-01

3.17.2-03

3.18.0-01

3.18.1-01

3.19.0-01

3.19.1-01

3.20.0-02

3.20.0-04

3.20.1-01

3.20.2-01

3.20.3-01

3.21.0-01

3.21.0-02

3.21.0-05

3.21.1-01