Lucene search

Palo_altoCVELIST:CVE-2019-17444

HistoryOct 12, 2020 - 9:55 p.m.

CVE-2019-17444 JFrog Artifactory does not enforce default admin password change

2020-10-1221:55:55

CWE-521

palo_alto

www.cve.org

jfrog artifactory

default password

administrative accounts

network-based attackers

compromise

vulnerability

version 6.17.0

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.053

Percentile

93.1%

JSON

Jfrog Artifactory uses default passwords (such as “password”) for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.

CNA Affected

[
  {
    "product": "Artifactory",
    "vendor": "Jfrog",
    "versions": [
      {
        "status": "unaffected",
        "version": "7.x"
      },
      {
        "lessThan": "6.17.0",
        "status": "affected",
        "version": "all",
        "versionType": "custom"
      }
    ]
  }
]

References

www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes

www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.053

Percentile

93.1%

JSON

Related for CVELIST:CVE-2019-17444