GHSL-2020-014 - Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks
Nexus Repository Manager
No CVE was assigned
For example, an attacker can create a task using the following request:
A similar attack is also possible by updating existing tasks:
Note: These endpoints are also vulnerable to EL injection (see: GHSL-2020-015)
This issue may lead to Remote Code execution by high-privilege users
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-014 in any communication regarding this issue.