CVE-2019-9733

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-9733
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9733.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-9733
Published
2019-04-11T19:29:01Z
Modified
2024-09-03T03:03:55.063476Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.

References

Affected packages

Git / github.com/jfrog/artifactory-docker-examples

Affected ranges

Type
GIT
Repo
https://github.com/jfrog/artifactory-docker-examples
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

5.*

5.0.1
5.1.0
5.1.2
5.1.3
5.1.4
5.10.0
5.10.1
5.10.2
5.10.3
5.10.4
5.11.0
5.2.0
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.4.2
5.4.4
5.4.5
5.4.6
5.5.0
5.5.1
5.5.2
5.6.0
5.6.1
5.6.2
5.6.3
5.7.0
5.7.1
5.7.2
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.9.0
5.9.1
5.9.3

6.*

6.0.1
6.0.2
6.0.3
6.1.0
6.2.0
6.3.0
6.3.2
6.3.3
6.4.0
6.4.1
6.5.0
6.5.1
6.5.13
6.5.2
6.5.3
6.5.6
6.5.8
6.5.9
6.6.0
6.6.1
6.6.3
6.6.5
6.7.0
6.7.1
6.7.2
6.7.3