CVE-2019-17444 (GCVE-0-2019-17444)
Vulnerability from cvelistv5 – Published: 2020-10-12 21:55 – Updated: 2024-09-16 19:51
VLAI?
Title
JFrog Artifactory does not enforce default admin password change
Summary
Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.
Severity ?
9.8 (Critical)
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jfrog | Artifactory |
Unaffected:
7.x
Affected: all , < 6.17.0 (custom) |
Credits
This issue was discovered by Daniel Shapira of Palo Alto Networks.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Artifactory",
"vendor": "Jfrog",
"versions": [
{
"status": "unaffected",
"version": "7.x"
},
{
"lessThan": "6.17.0",
"status": "affected",
"version": "all",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue affects default configuration."
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Daniel Shapira of Palo Alto Networks."
}
],
"datePublic": "2020-10-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521: Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-12T21:55:55",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"
}
],
"solutions": [
{
"lang": "en",
"value": "This is fixed in 6.17, and 7.x and later releases."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "JFrog Artifactory does not enforce default admin password change",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-10-12T21:16:00.000Z",
"ID": "CVE-2019-17444",
"STATE": "PUBLIC",
"TITLE": "JFrog Artifactory does not enforce default admin password change"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Artifactory",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "7.x"
},
{
"version_affected": "\u003c",
"version_name": "all",
"version_value": "6.17.0"
}
]
}
}
]
},
"vendor_name": "Jfrog"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue affects default configuration."
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Daniel Shapira of Palo Alto Networks."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-521: Weak Password Requirements"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory",
"refsource": "MISC",
"url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"
},
{
"name": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes",
"refsource": "MISC",
"url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"
}
]
},
"solution": [
{
"lang": "en",
"value": "This is fixed in 6.17, and 7.x and later releases."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2019-17444",
"datePublished": "2020-10-12T21:55:55.271295Z",
"dateReserved": "2019-10-10T00:00:00",
"dateUpdated": "2024-09-16T19:51:55.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*\", \"versionEndExcluding\": \"6.17.0\", \"matchCriteriaId\": \"26349534-E93D-4544-A889-E391D465BB5F\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Jfrog Artifactory uses default passwords (such as \\\"password\\\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.\"}, {\"lang\": \"es\", \"value\": \"Jfrog Artifactory usa contrase\\u00f1as predeterminadas (tal y como \\\"password\\\") para las cuentas administrativas y no requiere que los usuarios las cambien.\u0026#xa0;Esto puede permitir que atacantes basados ??en una red no autorizados comprometan por completo Jfrog Artifactory.\u0026#xa0;Este problema afecta a Jfrog Artifactory versiones anteriores a 6.17.0\"}]",
"id": "CVE-2019-17444",
"lastModified": "2024-11-21T04:32:20.087",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@paloaltonetworks.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-10-12T22:15:15.457",
"references": "[{\"url\": \"https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes\", \"source\": \"psirt@paloaltonetworks.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory\", \"source\": \"psirt@paloaltonetworks.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@paloaltonetworks.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@paloaltonetworks.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-521\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-521\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-17444\",\"sourceIdentifier\":\"psirt@paloaltonetworks.com\",\"published\":\"2020-10-12T22:15:15.457\",\"lastModified\":\"2024-11-21T04:32:20.087\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jfrog Artifactory uses default passwords (such as \\\"password\\\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.\"},{\"lang\":\"es\",\"value\":\"Jfrog Artifactory usa contrase\u00f1as predeterminadas (tal y como \\\"password\\\") para las cuentas administrativas y no requiere que los usuarios las cambien.\u0026#xa0;Esto puede permitir que atacantes basados ??en una red no autorizados comprometan por completo Jfrog Artifactory.\u0026#xa0;Este problema afecta a Jfrog Artifactory versiones anteriores a 6.17.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-521\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-521\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*\",\"versionEndExcluding\":\"6.17.0\",\"matchCriteriaId\":\"26349534-E93D-4544-A889-E391D465BB5F\"}]}]}],\"references\":[{\"url\":\"https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes\",\"source\":\"psirt@paloaltonetworks.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory\",\"source\":\"psirt@paloaltonetworks.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…