skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 13, 2020

GHSL-2020-014: Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks in Nexus Repository Manager

Alvaro Munoz


GHSL-2020-014 - Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks


Nexus Repository Manager

Tested Version



No CVE was assigned


It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.

For example, an attacker can create a task using the following request:

Source: src/main/java/org/sonatype/nexus/coreui/TaskComponent.groovy:124 Permissions: nx-tasks-create

A similar attack is also possible by updating existing tasks:

Source: src/main/java/org/sonatype/nexus/coreui/TaskComponent.groovy:151 Permissions: nx-tasks-update

Note: These endpoints are also vulnerable to EL injection (see: GHSL-2020-015)


This issue may lead to Remote Code execution by high-privilege users

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include the GHSL-2020-014 in any communication regarding this issue.