CVE-2019-17444 - Vulnerability Details - OpenCVE

Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.92338.

Key SSVC decision points have not yet been added.

Vendors	Products
Jfrog Subscribe	Artifactory Subscribe

Configuration 1 [-]

cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

This is fixed in 6.17, and 7.x and later releases.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes
https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2020-10-12T21:55:55.271295Z

Updated: 2024-09-16T19:51:55.985Z

Reserved: 2019-10-10T00:00:00

Link: CVE-2019-17444

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-12T22:15:15.457

Modified: 2024-11-21T04:32:20.087

Link: CVE-2019-17444

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-521

{"containers": {"cna": {"affected": [{"product": "Artifactory", "vendor": "Jfrog", "versions": [{"status": "unaffected", "version": "7.x"}, {"lessThan": "6.17.0", "status": "affected", "version": "all", "versionType": "custom"}]}], "configurations": [{"lang": "en", "value": "This issue affects default configuration."}], "credits": [{"lang": "en", "value": "This issue was discovered by Daniel Shapira of Palo Alto Networks."}], "datePublic": "2020-10-12T00:00:00", "descriptions": [{"lang": "en", "value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "CWE-521: Weak Password Requirements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-12T21:55:55", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"tags": ["x_refsource_MISC"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}], "solutions": [{"lang": "en", "value": "This is fixed in 6.17, and 7.x and later releases."}], "source": {"discovery": "EXTERNAL"}, "title": "JFrog Artifactory does not enforce default admin password change", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2020-10-12T21:16:00.000Z", "ID": "CVE-2019-17444", "STATE": "PUBLIC", "TITLE": "JFrog Artifactory does not enforce default admin password change"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Artifactory", "version": {"version_data": [{"version_affected": "!", "version_value": "7.x"}, {"version_affected": "<", "version_name": "all", "version_value": "6.17.0"}]}}]}, "vendor_name": "Jfrog"}]}}, "configuration": [{"lang": "en", "value": "This issue affects default configuration."}], "credit": [{"lang": "eng", "value": "This issue was discovered by Daniel Shapira of Palo Alto Networks."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-521: Weak Password Requirements"}]}]}, "references": {"reference_data": [{"name": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory", "refsource": "MISC", "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"name": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes", "refsource": "MISC", "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}]}, "solution": [{"lang": "en", "value": "This is fixed in 6.17, and 7.x and later releases."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:40:15.797Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2019-17444", "datePublished": "2020-10-12T21:55:55.271295Z", "dateReserved": "2019-10-10T00:00:00", "dateUpdated": "2024-09-16T19:51:55.985Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*", "matchCriteriaId": "26349534-E93D-4544-A889-E391D465BB5F", "versionEndExcluding": "6.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."}, {"lang": "es", "value": "Jfrog Artifactory usa contrase\u00f1as predeterminadas (tal y como \"password\") para las cuentas administrativas y no requiere que los usuarios las cambien. Esto puede permitir que atacantes basados ??en una red no autorizados comprometan por completo Jfrog Artifactory. Este problema afecta a Jfrog Artifactory versiones anteriores a 6.17.0"}], "id": "CVE-2019-17444", "lastModified": "2024-11-21T04:32:20.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-12T22:15:15.457", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}, {"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}]}