CVE-2022-0668: Artifactory Authentication Bypass

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2022-0668

MEDIUM

02/01/2023

02/01/2023

Description

JFrog Artifactory prior to 7.37.13 is vulnerable to Authentication Bypass, which can lead to Privilege Escalation when a specially crafted request is sent by an unauthenticated user.

Severity: MEDIUM

CVSSv3 Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

< 7.37.13

7.37.13

Artifactory (6.x)

< 6.23.41

Latest version of 6.23.x

Required Configuration for Exposure

This vulnerability affects all JFrog Artifactory deployments.

How to fix

Cloud Environments

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments

To fix this issue, there is required action.

Upgrade your version of Artifactory or Edge to one of the versions listed below:

Product

Version

Link

Artifactory (7.x)

7.37.13

https://releases.jfrog.io

Exploitation Status

JFrog is not aware of publicly available exploits and malicious exploitation attempts.

Weakness Type

CWE-274: Improper Handling of Insufficient Privileges.

Acknowledgements

This issue was discovered and reported by Matthias Kaiser and Jonni Passki of Apple Information Security.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.