RSS   Vulnerabilities for 'Artifactory'   RSS

2019-04-16
 
CVE-2018-19971

CWE-284
 

 
JFrog Artifactory Pro 6.5.9 has Incorrect Access Control.

 
2019-04-11
 
CVE-2019-9733

CWE-284
 

 
An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.

 
2019-01-09
 
CVE-2018-1000424

CWE-255
 

 
An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin.

 
2016-12-09
 
CVE-2016-6501

 

 
JFrog Artifactory before 4.11 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.

 


Copyright 2019, cxsecurity.com

 

Back to Top