cvedb.io
CVE-2019-9733
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2019-04-11T19:29:01.440 · Last modified 2026-06-17T02:44:15.020

Summary

An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.

Affected products

jfrog — artifactory

Does this affect you?

Add your gear to cvedb and we'll alert you only when jfrog ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.