CVE-2023-42508: JFrog Artifactory Improper Header Input Validation

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2023-42508

MEDIUM

10/04/2023

10/04/2023

Description

JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body.

Severity: Medium

CVSSv3.1 Base Score: 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

< 7.66.0

7.66.0 (SaaS)

7.68.7 (On-prem)

Required Configuration for Exposure

This vulnerability affects all JFrog Artifactory deployments.

How to Fix

How to fix depends upon your environment, as follows:

  • Cloud Environments

  • Self Hosted Environments

Cloud Environments

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments

To fix this issue, there is required action.

Upgrade your version of Artifactory or Edge to one of the versions listed below:

Workarounds and Mitigations

No work arounds.

Weakness Type

CWE-20: Improper Input Validation.

Acknowledgements

This issue was discovered and reported by Iddo Eldor from Blindspot Security.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.