CVE-2019-9733
published 2019-04-11CVE-2019-9733: An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an…
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.88%
98.9th percentile
An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jfrog | artifactory | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"user":"access-admin","password":"password","type":"login"}
- →Detect unauthenticated POST requests to the Artifactory login endpoint with an X-Forwarded-For header spoofing 127.0.0.1 and a body containing the 'access-admin' username ↗
- →Alert on successful (HTTP 200) login responses containing '"username": "access-admin"' in the response body, indicating successful bypass exploitation
- →Monitor for the presence of both X-Forwarded-For and X-Requested-With: artUI headers in requests to /artifactory/ui/auth/login, which is the attack pattern for this bypass
- →Flag any API calls to request authentication tokens for all users (including admin) originating from the access-admin account, as this is the post-exploitation step following the bypass
- ·The bypass only works because the access-admin account uses default credentials ('password'). Changing the default password of the access-admin account mitigates the risk even if the IP whitelist bypass via X-Forwarded-For is present. ↗
- ·The IP whitelist restriction (localhost-only) for the access-admin account is bypassable via the X-Forwarded-For header, meaning network-level controls alone are insufficient without patching. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8h32-rch7-92w4: An issue was discovered in JFrog Artifactory 6
ghsa_unreviewed·2022-05-13
CVE-2019-9733 [CRITICAL] GHSA-8h32-rch7-92w4: An issue was discovered in JFrog Artifactory 6
An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
VulnCheck
JFrog Artifactory 6.7.3 X-Forwarded-For HTTP Header access-admin Bypass
vulncheck·2019·CVSS 9.8
CVE-2019-9733 [CRITICAL] JFrog Artifactory 6.7.3 X-Forwarded-For HTTP Header access-admin Bypass
JFrog Artifactory 6.7.3 X-Forwarded-For HTTP Header access-admin Bypass
An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
Affected: jfrog arti
No detection rules found.
Nuclei
JFrog Artifactory 6.7.3 - Admin Login Bypass
nuclei·CVSS 9.8
CVE-2019-9733 [CRITICAL] JFrog Artifactory 6.7.3 - Admin Login Bypass
JFrog Artifactory 6.7.3 - Admin Login Bypass
JFrog Artifactory 6.7.3 is vulnerable to an admin login bypass issue because by default the access-admin account is used to reset the password of the admin account. While this is only allowable from a connection directly from localhost, providing an X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
Template:
id: CVE-2019-9733
info:
name: JFrog Artifactory 6.7.3 - Admin Login Bypass
aut
http://packetstormsecurity.com/files/152172/JFrog-Artifactory-Administrator-Authentication-Bypass.htmlhttps://www.ciphertechs.com/jfrog-artifactory-advisory/https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6http://packetstormsecurity.com/files/152172/JFrog-Artifactory-Administrator-Authentication-Bypass.htmlhttps://www.ciphertechs.com/jfrog-artifactory-advisory/https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
2019-04-11
Published
Exploited in the wild