CVE-2022-0573: Artifactory Vulnerable to Deserialization of Untrusted Data

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2022-0573

HIGH

12/5/2022

Description

JFrog Artifactory prior to 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

Severity: HIGH

CVSSv3.1 Base Score:8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

< 7.36.1

  • 7.17.16

  • 7.18.12

  • 7.19.13

  • 7.21.25

  • 7.25.9

  • 7.27.15

  • 7.29.10

  • 7.31.16

  • 7.33.12

  • 7.34.4

  • 7.35.1

  • 7.36.1

Artifactory (6.x)

< 6.23.41

6.23.41

Required Configuration for Exposure

This vulnerability affects JFrog Artifactory deployments.

This issue requires an attacker to have authenticated access to JFrog Artifactory.

If your environment permits anonymous access, there is a higher potential of exposure to the vulnerability.

How to fix

Cloud Environments

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments

To fix this issue, there is required action.

Upgrade your Artifactory version to one of the versions listed below:

Product

Version

Link

Artifactory (7.x)

latest

https://releases.jfrog.io

Artifactory (7.x)

7.17.16

https://releases.jfrog.io

Artifactory (7.x)

7.18.12

https://releases.jfrog.io

Artifactory (7.x)

7.19.13

https://releases.jfrog.io

Artifactory (7.x)

7.21.25

https://releases.jfrog.io

Artifactory (7.x)

7.25.9

https://releases.jfrog.io

Artifactory (7.x)

7.27.15

https://releases.jfrog.io

Artifactory (7.x)

7.29.10

https://releases.jfrog.io

Artifactory (7.x)

7.31.16

https://releases.jfrog.io

Artifactory (7.x)

7.33.12

https://releases.jfrog.io

Artifactory (7.x)

7.34.3

https://releases.jfrog.io

Artifactory (7.x)

7.35.1

https://releases.jfrog.io

Artifactory (7.x)

7.36.1

https://releases.jfrog.io

Artifactory (6.x)

Latest 6.23.x version

https://releases.jfrog.io

Workarounds and Mitigations

You can mitigate the impact of this issue by following best practices and disabling anonymous access to the JFrog Platform. Please review the best practices for disabling anonymous access in the JFrog Knowledge Base.

Note

Anonymous Access is disabled by default for new Artifactory and Edge installations starting from versions 6.12.0 and 7.0.0.

Weakness Type

CWE-502: Deserialization of Untrusted Data

Acknowledgements

This issue was discovered and reported by Matthias Kaiser and Jonni Passki of Apple Information Security.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.