Jfrog: >> Artifactory >> 3.1.1 Security Vulnerabilities
A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-05-31
A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-05-31
A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit allowed attackers to schedule a release build, perform release staging for Gradle and Maven projects, and promote previously staged builds, respectively.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-05-31
Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary files and cause a denial of service by uploading an HTML file.
CVSS Score
9.8
EPSS Score
0.194
Published
2018-05-01
JFrog Artifactory before 4.11 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted serialized Java object, aka LDAP entry poisoning.
CVSS Score
9.8
EPSS Score
0.017
Published
2016-12-09
Page 2