CVE-2019-9733

Name of the Vulnerable Software and Affected Versions JFrog Artifactory version 6.7.3

Description An issue in JFrog Artifactory allows an unauthenticated user to login with the default credentials of the access-admin account by providing a X-Forwarded-For HTTP header to the request, bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users, including the admin account, and assume full control of all artifacts and repositories managed by Artifactory.

Recommendations For JFrog Artifactory version 6.7.3, consider disabling the access-admin account or restricting its access until a patch is available. As a temporary workaround, restrict access to the API endpoints that allow requesting authentication tokens for all users. Avoid using the default credentials of the access-admin account until the issue is resolved.