CVE-2020-11753 - OpenCVE

An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable).

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sonatype	Nexus Repository Manager 3

Configuration 1 [-]

OR	cpe:2.3:a:sonatype:nexus_repository_manager_3:3.21.1:::::::*
	cpe:2.3:a:sonatype:nexus_repository_manager_3:3.22.0:::::::*

References

Link	Resource
https://cwe.mitre.org/data/definitions/284.html	Third Party Advisory
https://support.sonatype.com/hc/en-us/articles/360046233714	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-04-20T18:49:22

Updated: 2022-07-10T20:15:46

Reserved: 2020-04-14T00:00:00

Link: CVE-2020-11753

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-20T19:15:11.557

Modified: 2022-10-05T16:54:24.860

Link: CVE-2020-11753

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-04-16T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-10T20:15:46", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cwe.mitre.org/data/definitions/284.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.sonatype.com/hc/en-us/articles/360046233714"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11753", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://cwe.mitre.org/data/definitions/284.html", "refsource": "MISC", "url": "https://cwe.mitre.org/data/definitions/284.html"}, {"name": "https://support.sonatype.com/hc/en-us/articles/360046233714", "refsource": "CONFIRM", "url": "https://support.sonatype.com/hc/en-us/articles/360046233714"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11753", "datePublished": "2020-04-20T18:49:22", "dateReserved": "2020-04-14T00:00:00", "dateUpdated": "2022-07-10T20:15:46", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sonatype:nexus_repository_manager_3:3.21.1:*:*:*:*:*:*:*", "matchCriteriaId": "69D4A0D4-5DB1-45D9-B5E9-25E0CFD45328", "vulnerable": true}, {"criteria": "cpe:2.3:a:sonatype:nexus_repository_manager_3:3.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "191E6788-7199-4EB9-9217-5243459599B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable)."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Sonatype Nexus Repository Manager en las versiones 3.21.1 y 3.22.0. Es posible que un usuario con los privilegios apropiados cree, modifique y ejecute tareas scripting sin utilizar la Interfaz de Usuario o la API. NOTA: en la versi\u00f3n 3.22.0, el scripting est\u00e1 deshabilitado por defecto (haciendo que esto no sea explotable)."}], "id": "CVE-2020-11753", "lastModified": "2022-10-05T16:54:24.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-20T19:15:11.557", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/284.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://support.sonatype.com/hc/en-us/articles/360046233714"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}