CVE ID | Severity | Date Published | Date Updated |
|---|---|---|---|
CVE-2023-42508 | MEDIUM | 10/04/2023 | 10/04/2023 |
Description
JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body.
Severity: Medium
CVSSv3.1 Base Score: 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected Products
Product | Affected Versions | Patched Versions |
|---|---|---|
Artifactory (7.x) | < 7.66.0 | 7.66.0 (SaaS) 7.68.7 (On-prem) |
Required Configuration for Exposure
This vulnerability affects all JFrog Artifactory deployments.
How to Fix
How to fix depends upon your environment, as follows:
Cloud Environments
Self Hosted Environments
Cloud Environments
Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.
Self Hosted Environments
To fix this issue, there is required action.
Upgrade your version of Artifactory or Edge to one of the versions listed below:
Product | Version | Link |
|---|---|---|
Artifactory (7.x) | 7.68.7 | https://jfrog.com/help/r/jfrog-release-information/artifactory-7.68.7-self-hosted |
Workarounds and Mitigations
No work arounds.
Weakness Type
CWE-20: Improper Input Validation.
Acknowledgements
This issue was discovered and reported by Iddo Eldor from Blindspot Security.
We Are Here For Your Questions (JFrog Support Team)
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.