Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-14222 PoC — Alfresco Software Alfresco Community Edition 加密问题漏洞

Source
https://github.com/mbadanoiu/CVE-2019-14222
Associated Vulnerability
Title:Alfresco Software Alfresco Community Edition 加密问题漏洞 (CVE-2019-14222)
Description:An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default installations. An attacker could exploit this vulnerability by using the extracted private key and bundling it into a PKCS12. A successful exploit could allow the attacker to gain information about the target system (e.g., OS type, system file locations, Java version, Solr version, etc.) as well as the ability to launch further attacks by leveraging the access to Alfresco's Solr Web Admin Interface.
Description
 CVE-2019-14222: Default Certificate in Alfresco Community
Readme
# CVE-2019-14222: Default Certificate in Alfresco Community

Alfresco Community 5.x and below ships by default with a set of known private certificates. Anyone who downloads and installs the Alfresco Community software on a local machine gets access to these files.

Once obtained, these private keys can be used to:
- Gain access to Solr (which uses x509 certificate authentication)
- Launch active MITM attacks using a trusted Alfresco Certificate
- Launch passive decryption attacks if Non-Ephemeral ciphers are used

### NVD Disclosure:

The disclosure for this vulnerability can be found [here](https://nvd.nist.gov/vuln/detail/CVE-2019-14222).

### Requirements:

This vulnerability requires:
<br/>
- That the Alfresco appliaction uses the default SSL/TLS certificates

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2019-14222/blob/main/Alfresco%20-%20CVE-2019-14222.pdf).
File Snapshot

 [4.0K]  /data/pocs/54abca4ca9032da5b2d053fe9a557d0ab81ed862
├── [1.3M]  Alfresco - CVE-2019-14222.pdf
└── [ 958]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →