CVE-2020-10199: 
Java vulnerability analysis and mitigation

Sonatype Nexus Repository before version 3.21.2 contains a critical JavaEL Injection vulnerability (CVE-2020-10199) discovered on March 31, 2020. The vulnerability affects all Nexus Repository 3.x OSS/Pro versions up to and including 3.21.1. This issue was discovered and reported by Github Security Lab team member @pwntester (Alvaro Muñoz) (Sonatype Advisory).

The vulnerability is classified as a JavaEL (Expression Language) Injection issue that allows attackers to execute arbitrary code through crafted malicious requests. It has a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability stems from improper neutralization of special elements used in an Expression Language statement, which could allow modification of the intended EL statement before execution (NVD, CWE-917).

The vulnerability allows an attacker with any type of account on Nexus Repository to execute arbitrary code with the privileges of the user running the Nexus Repository server. This could lead to complete system compromise, allowing attackers to execute code outside the scope of the Nexus Repository server (Sonatype Advisory).

The recommended mitigation is to upgrade all affected instances of Nexus Repository to version 3.21.2 or later. Sonatype has addressed the vulnerability by adjusting the configuration of the third-party library that allowed for this attack (Sonatype Advisory).