cnvd - cnvd-2020-22044

CNVD-2020-22044

Vulnerability from cnvd - Published: 2020-04-09

Title

JFrog Artifactory输入验证错误漏洞

Description

JFrog Artifactory是以色列JFrog公司的一款开源的通用Artifact存储库管理器，它支持集群和高可用性Docker注册表，并提供端到端的用于跟踪从开发到生产的工件自动化解决方案。 JFrog Artifactory 6.18之前版本中存在输入验证错误漏洞。目前没有详细漏洞细节提供。

Severity

中

Patch Name

JFrog Artifactory输入验证错误漏洞的补丁

Patch Description

JFrog Artifactory是以色列JFrog公司的一款开源的通用Artifact存储库管理器，它支持集群和高可用性Docker注册表，并提供端到端的用于跟踪从开发到生产的工件自动化解决方案。 JFrog Artifactory 6.18之前版本中存在输入验证错误漏洞。目前没有详细漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18

Reference

https://www.secureworks.com/research/subject/advisories https://nvd.nist.gov/vuln/detail/CVE-2019-19937

Impacted products

Name
JFrog Artifactory <6.18

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-19937"
    }
  },
  "description": "JFrog Artifactory\u662f\u4ee5\u8272\u5217JFrog\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u901a\u7528Artifact\u5b58\u50a8\u5e93\u7ba1\u7406\u5668\uff0c\u5b83\u652f\u6301\u96c6\u7fa4\u548c\u9ad8\u53ef\u7528\u6027Docker\u6ce8\u518c\u8868\uff0c\u5e76\u63d0\u4f9b\u7aef\u5230\u7aef\u7684\u7528\u4e8e\u8ddf\u8e2a\u4ece\u5f00\u53d1\u5230\u751f\u4ea7\u7684\u5de5\u4ef6\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\n\nJFrog Artifactory 6.18\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-22044",
  "openTime": "2020-04-09",
  "patchDescription": "JFrog Artifactory\u662f\u4ee5\u8272\u5217JFrog\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u901a\u7528Artifact\u5b58\u50a8\u5e93\u7ba1\u7406\u5668\uff0c\u5b83\u652f\u6301\u96c6\u7fa4\u548c\u9ad8\u53ef\u7528\u6027Docker\u6ce8\u518c\u8868\uff0c\u5e76\u63d0\u4f9b\u7aef\u5230\u7aef\u7684\u7528\u4e8e\u8ddf\u8e2a\u4ece\u5f00\u53d1\u5230\u751f\u4ea7\u7684\u5de5\u4ef6\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nJFrog Artifactory 6.18\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "JFrog Artifactory\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "JFrog Artifactory \u003c6.18"
  },
  "referenceLink": "https://www.secureworks.com/research/subject/advisories\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19937",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-18",
  "title": "JFrog Artifactory\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2019-19937 (GCVE-0-2019-19937)

Vulnerability from cvelistv5 – Published: 2020-03-16 19:45 – Updated: 2024-08-05 02:32

Summary

In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to "undesirable results."

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.secureworks.com/research/subject/advisories	x_refsource_MISC
	https://www.jfrog.com/confluence/display/RTF6X/Re…	x_refsource_MISC
	https://www.jfrog.com/confluence/display/RTF6X/Im…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:32:10.070Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.secureworks.com/research/subject/advisories"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to \"undesirable results.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-16T19:45:36",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.secureworks.com/research/subject/advisories"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-19937",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In JFrog Artifactory before 6.18, it is not possible to restrict either system or repository imports by any admin user in the enterprise, which can lead to \"undesirable results.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.secureworks.com/research/subject/advisories",
              "refsource": "MISC",
              "url": "https://www.secureworks.com/research/subject/advisories"
            },
            {
              "name": "https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18",
              "refsource": "MISC",
              "url": "https://www.jfrog.com/confluence/display/RTF6X/Release+Notes#ReleaseNotes-Artifactory6.18"
            },
            {
              "name": "https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting",
              "refsource": "MISC",
              "url": "https://www.jfrog.com/confluence/display/RTF6X/Importing+and+Exporting"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-19937",
    "datePublished": "2020-03-16T19:45:36",
    "dateReserved": "2019-12-23T00:00:00",
    "dateUpdated": "2024-08-05T02:32:10.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-22044

CVE-2019-19937 (GCVE-0-2019-19937)

Tags

Sightings

Nomenclature