Vulnerability-Lookup

CNVD-2020-17351

Vulnerability from cnvd - Published: 2020-03-17

Title

JFrog Artifactory FreeMarker模板注入漏洞

Description

Artifactory是JFrog出品的全功能构件管理器。 Artifactory FreeMarker存在模板注入漏洞，攻击者可利用该漏洞在Artifactory实例上读写任意文件并执行代码。

Severity

中

Patch Name

JFrog Artifactory FreeMarker模板注入漏洞的补丁

Patch Description

Artifactory是JFrog出品的全功能构件管理器。 Artifactory FreeMarker存在模板注入漏洞，攻击者可利用该漏洞在Artifactory实例上读写任意文件并执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布相关漏洞补丁链接，请关注厂商主页随时更新： https://bintray.com/jfrog/artifactory-pro/jfrog-artifactory-pro-zip

Reference

https://jfrog.com/artifactory/ https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019 -0006.md https://www.zoomeye.org/searchResult?q=%22artifactory.ui%22 https://github.com/gquere/CVE-2020-7931/

Impacted products

Name
['JFrog Artifactory Pro <5.11.8', 'JFrog Artifactory Pro <6.1.6', 'JFrog Artifactory Pro <6.3.9', 'JFrog Artifactory Pro <6.7.8', 'JFrog Artifactory Pro <6.8.17', 'JFrog Artifactory Pro <6.9.6', 'JFrog Artifactory Pro <6.10.9', 'JFrog Artifactory Pro <6.11.7', 'JFrog Artifactory Pro <6.12.3', 'JFrog Artifactory Pro <6.13.2', 'JFrog Artifactory Pro <6.14.2', 'JFrog Artifactory Pro <6.15.1', 'JFrog Artifactory Pro <6.16.0']

Name

['JFrog Artifactory Pro <5.11.8', 'JFrog Artifactory Pro <6.1.6', 'JFrog Artifactory Pro <6.3.9', 'JFrog Artifactory Pro <6.7.8', 'JFrog Artifactory Pro <6.8.17', 'JFrog Artifactory Pro <6.9.6', 'JFrog Artifactory Pro <6.10.9', 'JFrog Artifactory Pro <6.11.7', 'JFrog Artifactory Pro <6.12.3', 'JFrog Artifactory Pro <6.13.2', 'JFrog Artifactory Pro <6.14.2', 'JFrog Artifactory Pro <6.15.1', 'JFrog Artifactory Pro <6.16.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-7931"
    }
  },
  "description": "Artifactory\u662fJFrog\u51fa\u54c1\u7684\u5168\u529f\u80fd\u6784\u4ef6\u7ba1\u7406\u5668\u3002\n\nArtifactory FreeMarker\u5b58\u5728\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728Artifactory\u5b9e\u4f8b\u4e0a\n\u8bfb\u5199\u4efb\u610f\u6587\u4ef6\u5e76\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u76f8\u5173\u6f0f\u6d1e\u8865\u4e01\u94fe\u63a5\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u968f\u65f6\u66f4\u65b0\uff1a\r\nhttps://bintray.com/jfrog/artifactory-pro/jfrog-artifactory-pro-zip",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-17351",
  "openTime": "2020-03-17",
  "patchDescription": "Artifactory\u662fJFrog\u51fa\u54c1\u7684\u5168\u529f\u80fd\u6784\u4ef6\u7ba1\u7406\u5668\u3002\r\n\r\nArtifactory FreeMarker\u5b58\u5728\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728Artifactory\u5b9e\u4f8b\u4e0a\r\n\u8bfb\u5199\u4efb\u610f\u6587\u4ef6\u5e76\u6267\u884c\u4ee3\u7801\u3002\r\n \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "JFrog Artifactory FreeMarker\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "JFrog Artifactory Pro \u003c5.11.8",
      "JFrog Artifactory Pro \u003c6.1.6",
      "JFrog Artifactory Pro \u003c6.3.9",
      "JFrog Artifactory Pro \u003c6.7.8",
      "JFrog Artifactory Pro \u003c6.8.17",
      "JFrog Artifactory Pro \u003c6.9.6",
      "JFrog Artifactory Pro \u003c6.10.9",
      "JFrog Artifactory Pro \u003c6.11.7",
      "JFrog Artifactory Pro \u003c6.12.3",
      "JFrog Artifactory Pro \u003c6.13.2",
      "JFrog Artifactory Pro  \u003c6.14.2",
      "JFrog Artifactory Pro \u003c6.15.1",
      "JFrog Artifactory Pro \u003c6.16.0"
    ]
  },
  "referenceLink": "https://jfrog.com/artifactory/ \r\nhttps://github.com/atredispartners/advisories/blob/master/ATREDIS-2019\r\n-0006.md \r\nhttps://www.zoomeye.org/searchResult?q=%22artifactory.ui%22 \r\nhttps://github.com/gquere/CVE-2020-7931/",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-17",
  "title": "JFrog Artifactory FreeMarker\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2020-7931 (GCVE-0-2020-7931)

Vulnerability from cvelistv5 – Published: 2020-01-23 14:27 – Updated: 2024-08-04 09:48

Summary

In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/atredispartners/advisories/blo…	x_refsource_MISC
	https://www.jfrog.com/confluence/display/RTF/Rele…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:48:24.610Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.jfrog.com/confluence/display/RTF/Release+Notes"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-23T14:32:50",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.jfrog.com/confluence/display/RTF/Release+Notes"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-7931",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md",
              "refsource": "MISC",
              "url": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md"
            },
            {
              "name": "https://www.jfrog.com/confluence/display/RTF/Release+Notes",
              "refsource": "MISC",
              "url": "https://www.jfrog.com/confluence/display/RTF/Release+Notes"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-7931",
    "datePublished": "2020-01-23T14:27:25",
    "dateReserved": "2020-01-23T00:00:00",
    "dateUpdated": "2024-08-04T09:48:24.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-17351

CVE-2020-7931 (GCVE-0-2020-7931)

Tags

Sightings

Nomenclature