CVE-2018-1000206

EUVD-2018-1879
JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Affected Products (NVD)
VendorProductVersion
jfrogartifactory
5.11.0 ≤
𝑥
< 6.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/
https://www.jfrog.com/jira/browse/RTFACT-17004
https://www.jfrog.com/jira/secure/ReleaseNote.jspa?projectId=10070&version=19581
https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/
https://www.jfrog.com/jira/browse/RTFACT-17004
https://www.jfrog.com/jira/secure/ReleaseNote.jspa?projectId=10070&version=19581