CVE-2020-11753
Description
An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A privileged user in Sonatype Nexus Repository Manager 3.21.1 and 3.22.0 can create, modify, and execute scripting tasks without UI or API due to improper access control.
Vulnerability
An improper access control vulnerability exists in Sonatype Nexus Repository Manager versions 3.21.1 and 3.22.0 [1]. A user with appropriate privileges can create, modify, and execute scripting tasks without using the UI or API. In version 3.22.0, scripting is disabled by default, reducing the attack surface.
Exploitation
An attacker with valid credentials and sufficient privileges can directly create, modify, and execute scripting tasks on the Nexus server. This can be performed without invoking the UI or REST API, likely through direct manipulation of underlying resources.
Impact
Successful exploitation allows the attacker to execute arbitrary scripting tasks on the Nexus Repository Manager server. This can lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the system.
Mitigation
In Sonatype Nexus Repository Manager version 3.22.0, scripting is disabled by default, which mitigates the vulnerability. For version 3.21.1, no patch is mentioned in the available references. As a workaround, users should disable scripting if not required, or upgrade to a version where scripting is disabled by default or the issue is patched.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sonatype/Nexus Repository Managerdescription
- Range: 3.21.1, 3.22.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- cwe.mitre.org/data/definitions/284.htmlmitrex_refsource_MISC
- support.sonatype.com/hc/en-us/articles/360046233714mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.