{"id":"CVE-2020-11415","details":"An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext.","modified":"2026-04-11T15:27:45.971485Z","published":"2020-04-27T15:15:12.360Z","references":[{"type":"FIX","url":"https://support.sonatype.com/hc/en-us/articles/360045360854"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sonatype/nexus-public","events":[{"introduced":"0"},{"fixed":"1d46fc7fd231cfe44a1248126b3726b029cb12c5"},{"introduced":"0"},{"fixed":"2970940ed4e8286f2f7810d68fa1bda632626ec6"}],"database_specific":{"versions":[{"introduced":"2.0"},{"fixed":"2.14.17"},{"introduced":"3.0"},{"fixed":"3.22.1"}]}}],"versions":["release-2.14.10-01","release-2.14.11-01","release-2.14.12-02","release-2.14.13-01","release-2.14.14-01","release-2.14.15-01","release-2.14.16-01","release-2.14.4-02","release-2.14.4-03","release-2.14.5-02","release-2.14.9-01","release-3.20.0-04","release-3.20.1-01","release-3.21.0-05","release-3.22.0-02","release-3.3.0-01","release-3.4.0-02","release-3.5.0-02"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11415.json","vanir_signatures_modified":"2026-04-11T15:27:45Z","vanir_signatures":[{"signature_type":"Function","target":{"function":"enableCircularRedirectsForHosts","file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/storage/remote/httpclient/HttpClientManagerTest.java"},"digest":{"function_hash":"240645833721311142931188455201698130904","length":1698},"id":"CVE-2020-11415-11459837","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/RepoConversionTest.java"},"digest":{"threshold":0.9,"line_hashes":["313652728092155124131652578897596951363","75552395171418087663321023820132818466","80308844729590517458752855001488350267","241298378827831399649577271181318244136"]},"id":"CVE-2020-11415-250ad543","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"plugins/security/nexus-ldap-realm-plugin/src/main/java/org/sonatype/nexus/security/ldap/realms/api/AbstractLdapRealmPlexusResource.java"},"digest":{"threshold":0.9,"line_hashes":["105732598505126494730968126994249973236","5486727952625091785569061560646227169","26802220004424442769552865934949746844","89706019866321764821478914035592323550","302507516099481240891020680188249938979","2426180230470377667687938366976049923","254448962362602149670332302846941792623","148379250760639972240292922577561488661","325188647305976736770208098843764948054","292441688030371188746756674262591191351","134288337058826603750685886338816599626","255833137315742082294271631174665333027","19316709357196148287756445787288849473","297534156402927260252078887693327878714","273870472383021806250175286091104506890","152833066918038186165688582943319526249","104184821476952716407659788619231091551"]},"id":"CVE-2020-11415-2a608fb4","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"getConnectionInfo","file":"plugins/security/nexus-ldap-realm-plugin/src/main/java/org/sonatype/nexus/security/ldap/realms/test/api/LdapUserAndGroupConfigTestPlexusResource.java"},"digest":{"function_hash":"213192425349250113544587698998596760416","length":606},"id":"CVE-2020-11415-2d200f42","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"testAutoBlockNotification","file":"testsuite/legacy-testsuite/src/test/java/org/sonatype/nexus/testsuite/misc/nexus421/Nexus421PlainNotificationIT.java"},"digest":{"function_hash":"198856939401472080567237448991879447659","length":206},"id":"CVE-2020-11415-4631c814","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"checkRepositoryRemoteAvailabilityNeglectLastModified","file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/storage/remote/httpclient/HttpClientRemoteStorageTest.java"},"digest":{"function_hash":"141482858816590367538143224742830331263","length":1403},"id":"CVE-2020-11415-50a2156c","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/storage/remote/httpclient/HttpClientManagerTest.java"},"digest":{"threshold":0.9,"line_hashes":["76937787166610975614785287325581180696","47592977512203792220475622536246452690","261963528943652143194338839149025374878","81116282339286153062507326765973168649","76937787166610975614785287325581180696","47592977512203792220475622536246452690","261963528943652143194338839149025374878","8667927618148278804615146587360225262"]},"id":"CVE-2020-11415-58c922ca","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"useCookiesForHosts","file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/storage/remote/httpclient/HttpClientManagerTest.java"},"digest":{"function_hash":"280974540491874418763583610621608211711","length":1760},"id":"CVE-2020-11415-6dc63bbd","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"testsuite/legacy-testsuite/src/test/java/org/sonatype/nexus/testsuite/p2/AbstractNexusP2IT.java"},"digest":{"threshold":0.9,"line_hashes":["287368276655180284869038877316923808104","97371735463767145816171830137553963059","74232037770447291550425508797409727055","8680744761148665961318336946404209515","188164282471286827070073082252442163110","218092425759497368720486118953813493468","336158656351160641407862554926511106874","196015033379296924224024635756873859215"]},"id":"CVE-2020-11415-6e08edee","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"testsupport/nexus-test-harness-launcher/src/main/java/org/sonatype/nexus/integrationtests/MavenVerifierHelper.java"},"digest":{"threshold":0.9,"line_hashes":["36154398710401179399469910237234268179","217567070303244386307500693940184436339","337783925376695354837115980903317907964","153154282570817578589685481857037028730","17887781169321301513167116959678423242","48315428543199646586774622377406514372","122826859664113519752828357231254059282","17987084197544495331682315440727060422","86434469051012956011969367594849678931","205579455564456532580505916844059046793"]},"id":"CVE-2020-11415-7e353f64","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"plugins/security/nexus-ldap-realm-plugin/src/main/java/org/sonatype/nexus/security/ldap/realms/test/api/LdapUserAndGroupConfigTestPlexusResource.java"},"digest":{"threshold":0.9,"line_hashes":["337292999257030301995547166643228680045","66759614147349769575237312688118647888","130039926844918441426469041557339354073","2441115962179044294038702986940917231","67033778631094604664925120294731288518","147935754953463013180335811718389290611","302507516099481240891020680188249938979","2426180230470377667687938366976049923","303930312423146421718823081141445846952","128828440205874627595277229762924718368","156001098977200925507359159537656554090","19748843971831624905393684739387683081","74644176691881472348070729612989020243"]},"id":"CVE-2020-11415-88da26b9","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"testsuite/modern-testsuite/src/test/java/org/sonatype/nexus/testsuite/routing/RoutingSanityIT.java"},"digest":{"threshold":0.9,"line_hashes":["257463456077024846397483781880213451235","7829308363652557466283814297362189800","85522858717171682583471968426454723280","274512931955911907272747244466553149534"]},"id":"CVE-2020-11415-8f43c673","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/repository/AnAbstractProxyRepositoryRetrieveRemoteItemMethodTest.java"},"digest":{"threshold":0.9,"line_hashes":["16500945813323814449835362205242917511","207582526188893082475654255150281755653","99423431276113497360266227782001943586","43901037432536308310903024669118364962"]},"id":"CVE-2020-11415-9031fba7","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"ldapToRestModel","file":"plugins/security/nexus-ldap-realm-plugin/src/main/java/org/sonatype/nexus/security/ldap/realms/api/AbstractLdapRealmPlexusResource.java"},"digest":{"function_hash":"255614087802833881110851642288705602787","length":488},"id":"CVE-2020-11415-9817385b","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/maven/routing/internal/scrape/NexusScraperTest.java"},"digest":{"threshold":0.9,"line_hashes":["184802936127081329308963733765782224856","81192444720934503718542493967186493170","186178878927137068259956188214583784232","28636624238064231287944201102577507844"]},"id":"CVE-2020-11415-98515ee2","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/storage/remote/httpclient/HttpClientRemoteStorageTest.java"},"digest":{"threshold":0.9,"line_hashes":["236531211909953826035585792587243477514","18072328923966546229035553277661375259","256556702301359487253913145703288083935","276969776425164833351334127357063407339"]},"id":"CVE-2020-11415-9a376927","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"restToLdapModel","file":"plugins/security/nexus-ldap-realm-plugin/src/main/java/org/sonatype/nexus/security/ldap/realms/api/AbstractLdapRealmPlexusResource.java"},"digest":{"function_hash":"213192425349250113544587698998596760416","length":606},"id":"CVE-2020-11415-a0f5566b","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"installUsingP2","file":"testsuite/legacy-testsuite/src/test/java/org/sonatype/nexus/testsuite/p2/AbstractNexusP2IT.java"},"digest":{"function_hash":"89353698924315526500952098661319940664","length":1394},"id":"CVE-2020-11415-ab8f654b","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"prefixFileIsUnchanged","file":"testsuite/modern-testsuite/src/test/java/org/sonatype/nexus/testsuite/routing/RoutingSanityIT.java"},"digest":{"function_hash":"144936699398848969791316712941652340215","length":548},"id":"CVE-2020-11415-b1de4e2b","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"convertHosted2Proxy","file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/RepoConversionTest.java"},"digest":{"function_hash":"44680511609474172365069035319356101385","length":1401},"id":"CVE-2020-11415-ba6fe156","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Line","target":{"file":"testsuite/legacy-testsuite/src/test/java/org/sonatype/nexus/testsuite/misc/nexus421/Nexus421PlainNotificationIT.java"},"digest":{"threshold":0.9,"line_hashes":["82043193627118365738721614218741014049","233505075427726163236578551303599933726","160225661867460296192691436462730130273","39368266603541639483119902965822827303","122862609624316651976756847192494008380","56884259973345046302569446433236076206"]},"id":"CVE-2020-11415-be29ded8","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"},{"signature_type":"Function","target":{"function":"prepare","file":"components/nexus-core/src/test/java/org/sonatype/nexus/proxy/repository/AnAbstractProxyRepositoryRetrieveRemoteItemMethodTest.java"},"digest":{"function_hash":"41263886927830044494100717784378712334","length":1804},"id":"CVE-2020-11415-d9dfc394","deprecated":false,"source":"https://github.com/sonatype/nexus-public/commit/1d46fc7fd231cfe44a1248126b3726b029cb12c5","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}]}