Brutkey

Mx. Moriarty 🏳️‍⚧️ :nonbinary_heart:​
@jpasski@infosec.exchange

Lol looks like JFrog finally disclosed CVE-2022-0668 [1]. @matthias_kaiser@infosec.exchange and I found that around a year ago, along with CVE-2022-0573 [2]. Coupled together we could unauth RCE Artifactory 🔥

Funny how they marked the RCE as being as severe as a blind SQLi, a “High”🤪

In neither case were we told the issues were fixed… 🙈🙉🙊

1. https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0668%3A+Artifactory+Authentication+Bypass
2. https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0573%3A+Artifactory+Vulnerable+to+Deserialization+of+Untrusted+Data