Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-17444 — Weak Password Requirements in Artifactory

CWE-521 — Weak Password Requirements4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

92.5%

top 0.27%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Jfrog Artifactory

Timeline

PublishedOct 12

Latest updateMay 24

Description

Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5jfrog/artifactoryall — 6.17.0

▶NVDjfrog/artifactory< 6.17.0

🔴Vulnerability Details

GHSA

GHSA-4845-j55w-6rx6: Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them↗2022-05-24

▶

CVEList

JFrog Artifactory does not enforce default admin password change↗2020-10-12

▶

💥Exploits & PoCs

Nuclei

Jfrog Artifactory <6.17.0 - Default Admin Password

▶