CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2022-0573
https://notcve.org/view.php?id=CVE-2022-0573
16 May 2022 — JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object. JFrog Artifactory versiones anteriores a 7.36.1 y 6.23.41, es vulnerable a una Deserialización no Segura de datos no confiables que puede conllevar a DoS, Escalada de Privilegios y Ejecuci... • https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0573%3A+Artifactory+Vulnerable+to+Deserialization+of+Untrusted+Data • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45074
https://notcve.org/view.php?id=CVE-2021-45074
02 Mar 2022 — JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session. JFrog Artifactory versiones anteriores a 7.29.3 y 6.23.38, es vulnerable a Un Control de Acceso Roto, un usuario con poco privilegiado es capaz de borrar el token OAuth de otros usuarios conocidos, lo que forzará a una re-autenticación en una sesión activa o en la siguien... • https://www.jfrog.com/confluence/display/JFROG/CVE-2021-45074%3A+Artifactory+Broken+Access+Control+on+Delete+OAuth+Tokens • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2021-3860 – JFrog Artifactory SQL Injection
https://notcve.org/view.php?id=CVE-2021-3860
20 Dec 2021 — JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query. JFrog Artifactory versiones anteriores a 7.25.4 (sólo en las implementaciones Enterprise+), es vulnerable a una inyección SQL ciega por parte de un usuario autenticado con pocos privilegios debido a una comprobación incompleta cuando se lleva a cabo una consulta SQL JFrog Artifactory versions prior to 7.25.4 suf... • https://packetstorm.news/files/id/177162 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 0CVE-2019-17444 – JFrog Artifactory does not enforce default admin password change
https://notcve.org/view.php?id=CVE-2019-17444
12 Oct 2020 — Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0. Jfrog Artifactory usa contraseñas predeterminadas (tal y como "password") para las cuentas administrativas y no requiere que los usuarios las cambien. Esto puede permitir que atacantes basados ?? • https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes • CWE-521: Weak Password Requirements •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2164
https://notcve.org/view.php?id=CVE-2020-2164
25 Mar 2020 — Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. Jenkins Artifactory Plugin versiones 3.5.0 y anteriores, almacenan su contraseña no cifrada en el servidor de Artifactory en su archivo de configuración global en el maestro Jenkins, donde puede ser visualizado por usuarios con acceso al sistema de archivos maestro. • http://www.openwall.com/lists/oss-security/2020/03/25/2 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2165
https://notcve.org/view.php?id=CVE-2020-2165
25 Mar 2020 — Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. Jenkins Artifactory Plugin versiones 3.6.0 y anteriores, transmiten contraseñas configuradas en texto plano como parte de su formulario de configuración global de Jenkins, resultando potencialmente en su exposición. • http://www.openwall.com/lists/oss-security/2020/03/25/2 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19937
https://notcve.org/view.php?id=CVE-2019-19937
16 Mar 2020 — In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." En JFrog Artifactory versiones anteriores a 6.18, no es posible restringir tanto las importaciones del sistema como del repositorio por parte de cualquier usuario administrador en la empresa, lo que puede conllevar a "undesirable results." • https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 2CVE-2020-7931
https://notcve.org/view.php?id=CVE-2020-7931
23 Jan 2020 — In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template. En JFrog Artifactory versiones 5.x y 6.x, el procesamiento no seguro de la plantilla FreeMarker conlleva a una ejecución de código remota, por ejemplo, mediante la modifi... • https://github.com/gquere/CVE-2020-7931 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10321
https://notcve.org/view.php?id=CVE-2019-10321
31 May 2019 — A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en ArtifactoryBuilder.DescriptorImpl#doTestConne... • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10323
https://notcve.org/view.php?id=CVE-2019-10323
31 May 2019 — A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. Una verificación de falta de permisos en Jenkins Artifactory Plugin 3.2.3 y versiones anteriores en varios métodos 'fillCredentialsIdItems' permitía a los usuarios con acceso General / Lectura para enumerar las credenciales. • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-862: Missing Authorization •