CVE ID | Severity | Date Published | Date Updated |
|---|---|---|---|
CVE-2021-23163 | LOW | 07/05/2022 | 07/05/2022 |
Description
JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints.
Severity: LOW
CVSSv3.1 Score: 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Products
Product | Affected Versions | Patched Versions |
|---|---|---|
Artifactory (7.x) | < 7.33.6 | 7.33.6 |
Artifactory (6.x) | < 6.23.38 | 6.23.38 |
Required Configuration for Exposure
This vulnerability affects JFrog Artifactory deployments.
This issue requires a user to enter their credentials in a www-authenticate negotiation, or have accessed some of the Artifactory REST APIs using basic credentials in the URL. (user:pass@artifactory-domain).
How to fix
Cloud Environments
Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.
Self Hosted Environments
To fix this issue, there is required action.
Upgrade your version of Artifactory or Edge to one of the versions listed below:
Product | Version | Link |
|---|---|---|
Artifactory (7.x) | 7.33.6 and above | |
Artifactory (6.x) | 6.23.38 and above |
Workarounds and Mitigations
There aren’t any suggested workarounds to this issue besides upgrading to a fixed version.
Weakness Type
CWE-352: Cross-Site Request Forgery (CSRF)
Acknowledgements
This issue was discovered and reported by Maxime Escourbiac and Maxence Schmitt at Michelin CERT.
We Are Here For Your Questions (JFrog Support Team)
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.