CVE ID | Severity | Date Published | Date Updated |
---|---|---|---|
CVE-2021-3860 | HIGH | 12/15/2021 | 12/15/2021 |
Description
JFrog Artifactory prior to 7.25.4 (Enterprise+ subscriptions only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.
Severity: HIGH
CVSSv3 Score: 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
Product | Affected Versions | Patched Versions |
---|---|---|
Artifactory (7.x) | < 7.25.4 | 7.24.7, 7.23.8, 7.21.14, 7.19.12, 7.18.11, 7.17.14, 7.12.10, 7.11.8 |
Artifactory (6.x) | < 6.23.30 | Latest version of 6.23.x |
Required Configuration for Exposure
This vulnerability affects JFrog Artifactory and JFrog edge deployments with Enterprise+ subscriptions only.
This issue requires an attacker to have authenticated access to JFrog Artifactory.
Note
If your environment permits anonymous access, there is a higher potential of exposure to the vulnerability.
How to fix
Cloud Environments
Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.
Self Hosted Environments
To fix this issue, there is required action.
Upgrade your version of Artifactory or Edge to one of the versions listed below:
Product | Version | Link |
---|---|---|
Artifactory (7.x) | Latest | |
Artifactory (7.x) | 7.24.7 | |
Artifactory (7.x) | 7.23.8 | |
Artifactory (7.x) | 7.21.14 | |
Artifactory (7.x) | 7.19.12 | |
Artifactory (7.x) | 7.18.11 | |
Artifactory (7.x) | 7.17.14 | |
Artifactory (7.x) | 7.12.10 | |
Artifactory (7.x) | 7.11.8 | |
Artifactory (6.x) | Latest 6.23.x version |
Workarounds and Mitigations
You can mitigate the impact of this issue by following best practices and disabling anonymous access to the JFrog Platform. Please review the best practices for disabling anonymous access in the JFrog knowledge base.
Note
Anonymous Access is disabled by default for new Artifactory and Edge installations starting from versions 6.12.0 and 7.0.0.
Exploitation Status
JFrog is not aware of publicly available exploits and malicious exploitation attempts.
Weakness Type
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').
Acknowledgements
This issue was discovered and reported by a JFrog customer.
We Are Here For Your Questions (JFrog Support Team)
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.