CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2022-0573
https://notcve.org/view.php?id=CVE-2022-0573
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object. JFrog Artifactory versiones anteriores a 7.36.1 y 6.23.41, es vulnerable a una Deserialización no Segura de datos no confiables que puede conllevar a DoS, Escalada de Privilegios y Ejecución de Código Remota cuando una petición especialmente diseñada es enviada por un usuario autenticado con pocos privilegios debido a una insuficiente comprobación de un objeto serializado proporcionado por el usuario • https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0573%3A+Artifactory+Vulnerable+to+Deserialization+of+Untrusted+Data https://www.jfrog.com/confluence/display/JFROG/JFrog+Security+Advisories • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45074
https://notcve.org/view.php?id=CVE-2021-45074
JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session. JFrog Artifactory versiones anteriores a 7.29.3 y 6.23.38, es vulnerable a Un Control de Acceso Roto, un usuario con poco privilegiado es capaz de borrar el token OAuth de otros usuarios conocidos, lo que forzará a una re-autenticación en una sesión activa o en la siguiente sesión de la UI • https://www.jfrog.com/confluence/display/JFROG/CVE-2021-45074%3A+Artifactory+Broken+Access+Control+on+Delete+OAuth+Tokens https://www.jfrog.com/confluence/display/JFROG/JFrog+Security+Advisories • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-3860 – JFrog Artifactory SQL Injection
https://notcve.org/view.php?id=CVE-2021-3860
JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query. JFrog Artifactory versiones anteriores a 7.25.4 (sólo en las implementaciones Enterprise+), es vulnerable a una inyección SQL ciega por parte de un usuario autenticado con pocos privilegios debido a una comprobación incompleta cuando se lleva a cabo una consulta SQL JFrog Artifactory versions prior to 7.25.4 suffer from a remote blind SQL injection vulnerability. • http://packetstormsecurity.com/files/177162/JFrog-Artifactory-SQL-Injection.html https://www.jfrog.com/confluence/display/JFROG/CVE-2021-3860%3A+Artifactory+Low+Privileged+Blind+SQL+Injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 0CVE-2019-17444 – JFrog Artifactory does not enforce default admin password change
https://notcve.org/view.php?id=CVE-2019-17444
Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0. Jfrog Artifactory usa contraseñas predeterminadas (tal y como "password") para las cuentas administrativas y no requiere que los usuarios las cambien. Esto puede permitir que atacantes basados ?? • https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory • CWE-521: Weak Password Requirements •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19937
https://notcve.org/view.php?id=CVE-2019-19937
In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results." En JFrog Artifactory versiones anteriores a 6.18, no es posible restringir tanto las importaciones del sistema como del repositorio por parte de cualquier usuario administrador en la empresa, lo que puede conllevar a "undesirable results." • https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18 https://www.secureworks.com/research/subject/advisories • CWE-862: Missing Authorization •