CVE-2022-0573
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
16/05/2022
Last modified:
25/05/2022
Description
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 6.0.0 (including) | 6.23.41 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.0.0 (including) | 7.17.16 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.18.0 (including) | 7.18.12 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.19.0 (including) | 7.19.13 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.21.0 (including) | 7.21.25 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.25.0 (including) | 7.25.9 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.27.0 (including) | 7.27.15 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.29.0 (including) | 7.29.10 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.31.0 (including) | 7.31.16 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.33.0 (including) | 7.33.12 (excluding) |
| cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:* | 7.34.0 (including) | 7.34.4 (excluding) |
| cpe:2.3:a:jfrog:artifactory:7.35.0:*:*:*:*:-:*:* | ||
| cpe:2.3:a:jfrog:artifactory:7.36.0:*:*:*:*:-:*:* |
To consult the complete list of CPE names with products and versions, see this page