CVE-2023-42509: JFrog Artifactory Sensitive Data Leakage in Repository Configuration Process

JFrog Release Information

ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2023-42509

Medium

7 Mar 24

7 Mar 24

Description

JFrog Artifactory later than version 7.17.4 but prior to version 7.77.0 is vulnerable to an issue whereby a sequence of improperly handled exceptions in repository configuration initialization steps may lead to exposure of sensitive data.

Severity

Medium

CVSSv3.1 Base Score: 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

7.17.4 and later but prior to version 7.77.0

  • 7.77.0 and higher (SaaS)

  • 7.77.3 and higher (On-prem)

Required Configurations for Exposure

This vulnerability affects all JFrog Artifactory deployments.

How to Fix

Cloud Environments: Affected Cloud environments have already been upgraded with a fixed version. No action is required for cloud instances.

Self Hosted Environments: To fix this issue, the following action is required.

Upgrade your version of Artifactory to one of the versions listed below:

Workarounds and Mitigations

No workarounds

Weakness Type

CWE-755: Improper Handling of Exceptional Conditions

Acknowledgements

This issue was discovered and reported by Matthias Kaiser from Apple Information Security.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.