CVE-2023-42661: JFrog Artifactory Improper Input Validation Leads to Arbitrary File Write

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2023-42661

High

7 Mar 24

7 Mar 24

Description

JFrog Artifactory prior to version 7.76.2 is vulnerable to Arbitrary File Write of untrusted data, which may lead to DoS or Remote Code Execution when a specially crafted series of requests is sent by an authenticated user. This is due to insufficient validation of artifacts.

Severity

High

CVSSv3.1 Base Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products

Product

Affected Version

Patched Version

Artifactory (7.x)

Earlier than 7.76.2

7.76.2 or later (SaaS)

7.77.3 or later (On-prem)

Required Configuration for Exposure

This vulnerability affects all JFrog Artifactory deployments.

How to Fix

Cloud Environments: Affected Cloud environments have already been updated with a fixed version. No action is required for cloud instances.

Self Hosted Environments: To fix this issue, take the following action. Upgrade your version of Artifactory to one of the versions listed below:

Workarounds and Mitigations

No workarounds

Weakness Type

CWE-20: Improper Input validation

Acknowledgements

This issue was discovered and reported by Matthias Kaiser from Apple Information Security.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.