CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10322
https://notcve.org/view.php?id=CVE-2019-10322
31 May 2019 — A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Una falta de comprobación de permisos en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en ArtifactoryBuilder.DescriptorImpl#doTestConnection permitió a los usuarios con acces... • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10324
https://notcve.org/view.php?id=CVE-2019-10324
31 May 2019 — A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively. Una vulnerabilidad de tipo cross-site request forgery (CSRF), en el Plugin Artifactory de Jenkins versión 3.2.2 y anteriores, en Relea... • http://www.openwall.com/lists/oss-security/2019/05/31/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 67%CPEs: 1EXPL: 3CVE-2019-9733 – JFrog Artifactory Administrator Authentication Bypass
https://notcve.org/view.php?id=CVE-2019-9733
21 Mar 2019 — An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account... • https://packetstorm.news/files/id/152172 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 4CVE-2018-19971 – JFrog Artifactory Pro 6.5.9 Signature Validation
https://notcve.org/view.php?id=CVE-2018-19971
19 Mar 2019 — JFrog Artifactory Pro 6.5.9 has Incorrect Access Control. JFrog Artifactory Pro 6.5.9 tiene un control de acceso incorrecto. The SAML SSO addon in JFrog Artifactory version 6.5.9 does not properly validate the XML signature in the SAMLResponse field send to the URL /webapp/saml/loginResponse. An attacker can use this flaw to login as any user if they already can login as some user. • https://packetstorm.news/files/id/152137 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000424
https://notcve.org/view.php?id=CVE-2018-1000424
09 Jan 2019 — An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin. Existe una vulnerabilidad de credenciales protegidas de forma insuficiente en el plugin Jenkins Jenkins Artifactory, en versiones 2.16.1 y anteriores, en ArtifactoryBuilder.java y CredentialsConfig.jav... • http://www.securityfocus.com/bid/106532 • CWE-522: Insufficiently Protected Credentials •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000206
https://notcve.org/view.php?id=CVE-2018-1000206
13 Jul 2018 — JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1. JFrog Artifactory desde la versión 5.11 contiene una vulnerabilidad de Cross-Site Request Forgery (CSRF) en los endpoints de la interfaz de usuari... • https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000623
https://notcve.org/view.php?id=CVE-2018-1000623
09 Jul 2018 — JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint (/ui/artifactimport/upload) that can result in Directory traversal / file overwrite and remote code execution. This attack appear to be exploitable via An attacker with Admin privileges may use the aforementioned UI endpoint and exploit t... • https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.0.3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 3CVE-2016-10036 – Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution
https://notcve.org/view.php?id=CVE-2016-10036
26 Apr 2018 — Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file. Vulnerabilidad de subida de archivos sin restricción en ui/artifact/upload en JFrog Artifactory, en versiones anteriores a la 4.16, permite que atacantes remotos (1) desplieguen una aplicación del s... • https://packetstorm.news/files/id/147378 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6501
https://notcve.org/view.php?id=CVE-2016-6501
09 Dec 2016 — JFrog Artifactory before 4.11 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning. JFrog Artifactory en versiones anteriores a 4.11 permite a atacantes remotos ejecutar código arbitrario a través de un atributo LDAP con un objeto Java serializado manipulado, también conocido como envenenamiento de entrada LDAP. • http://www.securityfocus.com/bid/94855 • CWE-20: Improper Input Validation •