module
Nexus Repository Manager Java EL Injection RCE
| Disclosed |
|---|
| Mar 31, 2020 |
Disclosed
Mar 31, 2020
Description
This module exploits a Java Expression Language (EL) injection in
Nexus Repository Manager versions up to and including 3.21.1 to
execute code as the Nexus user.
This is a post-authentication vulnerability, so credentials are
required to exploit the bug. Any user regardless of privilege level
may be used.
Tested against 3.21.1-01.
Nexus Repository Manager versions up to and including 3.21.1 to
execute code as the Nexus user.
This is a post-authentication vulnerability, so credentials are
required to exploit the bug. Any user regardless of privilege level
may be used.
Tested against 3.21.1-01.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.