CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19937
https://notcve.org/view.php?id=CVE-2019-19937
In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." En JFrog Artifactory versiones anteriores a 6.18, no es posible restringir tanto las importaciones del sistema como del repositorio por parte de cualquier usuario administrador en la empresa, lo que puede conllevar a "undesirable results." • https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18 https://www.secureworks.com/research/subject/advisories • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 1%CPEs: 12EXPL: 2CVE-2020-7931
https://notcve.org/view.php?id=CVE-2020-7931
In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template. En JFrog Artifactory versiones 5.x y 6.x, el procesamiento no seguro de la plantilla FreeMarker conlleva a una ejecución de código remota, por ejemplo, mediante la modificación de un archivo .ssh/authorized_keys. Los parches están disponibles para varias versiones entre 5.11.8 y 6.16.0. • https://github.com/gquere/CVE-2020-7931 https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md https://www.jfrog.com/confluence/display/RTF/Release+Notes •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10324
https://notcve.org/view.php?id=CVE-2019-10324
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively. Una vulnerabilidad de tipo cross-site request forgery (CSRF), en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging y UnifiedPromoteBuildAction#doSubmit, permitió a los atacantes programara un ensamblado de versión (build), liberar versiones de entorno de pruebas para proyectos de Gradle y Maven y promover ensamblados previos de entorno de prueba, respectivamente. • http://www.openwall.com/lists/oss-security/2019/05/31/2 http://www.securityfocus.com/bid/108540 https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1347 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10322
https://notcve.org/view.php?id=CVE-2019-10322
A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una falta de comprobación de permisos en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en ArtifactoryBuilder.DescriptorImpl#doTestConnection permitió a los usuarios con acceso General y de Lectura conectarse a una URL especificada por el atacante usando los ID de credenciales especificadas por el atacante conseguidas por medio de otro método, capturando credenciales almacenadas en Jenkins . • http://www.openwall.com/lists/oss-security/2019/05/31/2 http://www.securityfocus.com/bid/108540 https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1015%20%281%29 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0787 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10323
https://notcve.org/view.php?id=CVE-2019-10323
A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. Una verificación de falta de permisos en Jenkins Artifactory Plugin 3.2.3 y versiones anteriores en varios métodos 'fillCredentialsIdItems' permitía a los usuarios con acceso General / Lectura para enumerar las credenciales. • http://www.openwall.com/lists/oss-security/2019/05/31/2 http://www.securityfocus.com/bid/108540 https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1015%20%282%29 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0846 • CWE-862: Missing Authorization •