CVE ID | Severity | Date Published | Date Updated |
---|---|---|---|
MEDIUM | 03/02/2022 | 03/02/2022 |
Description
JFrog Artifactory prior to 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known usersOAuthtoken, which will force re-authentication on an active session or in the next UI session.
Severity: MEDIUM
CVSSv3.1 Base Score:4.3AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected Products
Product | Affected Versions | Patched Versions |
---|---|---|
Artifactory (7.x) | < 7.29.3 | 7.29.3 |
Artifactory (6.x) | < 6.23.38 | 6.23.38 |
Required Configuration for Exposure
This vulnerability affects JFrog Artifactory deployments.
This vulnerability requires authenticated access to JFrog Artifactory and guessing the username of another user, as well as an OAuth token.
How to fix
Cloud Environments
Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.
Self Hosted Environments
To fix this issue, there is required action.
Upgrade your Artifactory version to one of the versions listed below:
Product | Version | Link |
---|---|---|
Artifactory (7.x) | 7.29.3 | |
Artifactory (6.x) | 6.23.38 |
Workarounds and Mitigations
There aren’t any suggested workarounds to this issue besides upgrading to a fixed version.
Weakness Type
CWE-284: Improper Access Control
Acknowledgements
Maxime Escourbiac and Maxence Schmitt at Michelin CERT.
We Are Here For Your Questions (JFrog Support Team)
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.