CVE-2020-10204: 
Java vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability was discovered in Sonatype Nexus Repository versions prior to 3.21.2. The vulnerability, identified as CVE-2020-10204, was disclosed on March 31, 2020. This security flaw affects all Nexus Repository 3.x OSS/Pro versions up to and including version 3.21.1 (Sonatype Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is characterized by improper input validation (CWE-20) and allows for remote code execution through crafted malicious requests to the Nexus Repository. The issue was addressed by implementing additional data validation and adjusting the configuration of the third-party library that enabled this attack vector (NVD, Sonatype Advisory).

If exploited, this vulnerability allows an attacker to execute arbitrary code on the system with the same privileges as the user running the Nexus Repository server. This could lead to complete system compromise, potentially affecting the confidentiality, integrity, and availability of the server and its data (Sonatype Advisory).

The recommended mitigation is to upgrade all affected instances of Nexus Repository 3 to version 3.21.2 or later. Sonatype has released this patch version which includes fixes for the vulnerability by implementing additional data validation and adjusting third-party library configurations (Sonatype Advisory).

Security researchers noted that many organizations were not keeping up with patching, as evidenced by the number of older vulnerable versions visible in Shodan scans. The vulnerability was discovered and reported by Github Security Lab team member @pwntester (Alvaro Muñoz) (AttackerKB).