CVE-2019-17444 - Vulnerability Details - OpenCVE

Description

Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.

Published: 2020-10-12

Score: 9.8 Critical

EPSS: 92.5% High

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jfrog

Artifactory

affected

Version	Status	Constraints
`7.x`	unaffected	—
`all`	affected	< 6.17.0

Configuration 1 [-]

cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*

No data.

No data available yet.

Remediation

Vendor Solution

This is fixed in 6.17, and 7.x and later releases.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.92493.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes
https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory

History

No history.

Subscriptions

Jfrog Artifactory

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2020-10-12T21:55:55.271Z

Updated: 2024-09-16T19:51:55.985Z

Reserved: 2019-10-10T00:00:00.000Z

Link: CVE-2019-17444

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-12T22:15:15.457

Modified: 2024-11-21T04:32:20.087

Link: CVE-2019-17444

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-521

{"containers": {"cna": {"affected": [{"product": "Artifactory", "vendor": "Jfrog", "versions": [{"status": "unaffected", "version": "7.x"}, {"lessThan": "6.17.0", "status": "affected", "version": "all", "versionType": "custom"}]}], "configurations": [{"lang": "en", "value": "This issue affects default configuration."}], "credits": [{"lang": "en", "value": "This issue was discovered by Daniel Shapira of Palo Alto Networks."}], "datePublic": "2020-10-12T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "CWE-521: Weak Password Requirements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-12T21:55:55.000Z", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"tags": ["x_refsource_MISC"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}], "solutions": [{"lang": "en", "value": "This is fixed in 6.17, and 7.x and later releases."}], "source": {"discovery": "EXTERNAL"}, "title": "JFrog Artifactory does not enforce default admin password change", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2020-10-12T21:16:00.000Z", "ID": "CVE-2019-17444", "STATE": "PUBLIC", "TITLE": "JFrog Artifactory does not enforce default admin password change"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Artifactory", "version": {"version_data": [{"version_affected": "!", "version_value": "7.x"}, {"version_affected": "<", "version_name": "all", "version_value": "6.17.0"}]}}]}, "vendor_name": "Jfrog"}]}}, "configuration": [{"lang": "en", "value": "This issue affects default configuration."}], "credit": [{"lang": "eng", "value": "This issue was discovered by Daniel Shapira of Palo Alto Networks."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-521: Weak Password Requirements"}]}]}, "references": {"reference_data": [{"name": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory", "refsource": "MISC", "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"name": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes", "refsource": "MISC", "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}]}, "solution": [{"lang": "en", "value": "This is fixed in 6.17, and 7.x and later releases."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:40:15.797Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2019-17444", "datePublished": "2020-10-12T21:55:55.271Z", "dateReserved": "2019-10-10T00:00:00.000Z", "dateUpdated": "2024-09-16T19:51:55.985Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*", "matchCriteriaId": "26349534-E93D-4544-A889-E391D465BB5F", "versionEndExcluding": "6.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jfrog Artifactory uses default passwords (such as \"password\") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0."}, {"lang": "es", "value": "Jfrog Artifactory usa contrase\u00f1as predeterminadas (tal y como \"password\") para las cuentas administrativas y no requiere que los usuarios las cambien. Esto puede permitir que atacantes basados ??en una red no autorizados comprometan por completo Jfrog Artifactory. Este problema afecta a Jfrog Artifactory versiones anteriores a 6.17.0"}], "id": "CVE-2019-17444", "lastModified": "2024-11-21T04:32:20.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-12T22:15:15.457", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}, {"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}]}