CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19937
https://notcve.org/view.php?id=CVE-2019-19937
16 Mar 2020 — In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." En JFrog Artifactory versiones anteriores a 6.18, no es posible restringir tanto las importaciones del sistema como del repositorio por parte de cualquier usuario administrador en la empresa, lo que puede conllevar a "undesirable results." • https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 2CVE-2020-7931
https://notcve.org/view.php?id=CVE-2020-7931
23 Jan 2020 — In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template. En JFrog Artifactory versiones 5.x y 6.x, el procesamiento no seguro de la plantilla FreeMarker conlleva a una ejecución de código remota, por ejemplo, mediante la modifi... • https://github.com/gquere/CVE-2020-7931 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10321
https://notcve.org/view.php?id=CVE-2019-10321
31 May 2019 — A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en ArtifactoryBuilder.DescriptorImpl#doTestConne... • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10323
https://notcve.org/view.php?id=CVE-2019-10323
31 May 2019 — A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. Una verificación de falta de permisos en Jenkins Artifactory Plugin 3.2.3 y versiones anteriores en varios métodos 'fillCredentialsIdItems' permitía a los usuarios con acceso General / Lectura para enumerar las credenciales. • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10322
https://notcve.org/view.php?id=CVE-2019-10322
31 May 2019 — A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una falta de comprobación de permisos en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en ArtifactoryBuilder.DescriptorImpl#doTestConnection permitió a los usuarios con acces... • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10324
https://notcve.org/view.php?id=CVE-2019-10324
31 May 2019 — A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively. Una vulnerabilidad de tipo cross-site request forgery (CSRF), en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en Relea... • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000424
https://notcve.org/view.php?id=CVE-2018-1000424
09 Jan 2019 — An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin. Existe una vulnerabilidad de credenciales protegidas de forma insuficiente en el plugin Jenkins Jenkins Artifactory, en versiones 2.16.1 y anteriores, en ArtifactoryBuilder.java y CredentialsConfig.jav... • http://www.securityfocus.com/bid/106532 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 3CVE-2016-10036 – Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution
https://notcve.org/view.php?id=CVE-2016-10036
26 Apr 2018 — Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file. Vulnerabilidad de subida de archivos sin restricción en ui/artifact/upload en JFrog Artifactory, en versiones anteriores a la 4.16, permite que atacantes remotos (1) desplieguen una aplicación del s... • https://packetstorm.news/files/id/147378 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6501
https://notcve.org/view.php?id=CVE-2016-6501
09 Dec 2016 — JFrog Artifactory before 4.11 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning. JFrog Artifactory en versiones anteriores a 4.11 permite a atacantes remotos ejecutar código arbitrario a través de un atributo LDAP con un objeto Java serializado manipulado, también conocido como envenenamiento de entrada LDAP. • http://www.securityfocus.com/bid/94855 • CWE-20: Improper Input Validation •