CVE-2020-7931 Information
Feb 14, 2021
cve
Description
In JFrog Artifactory 5.x and 6.x insecure FreeMarker template processing leads to remote code execution e.g. by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2019-0006.md https://www.jfrog.com/confluence/display/RTF/Release+Notes
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: