CVE ID | Severity | Date Published | Date Updated |
---|---|---|---|
CVE-2023-42661 | High | 7 Mar 24 | 7 Mar 24 |
Description
JFrog Artifactory prior to version 7.76.2 is vulnerable to Arbitrary File Write of untrusted data, which may lead to DoS or Remote Code Execution when a specially crafted series of requests is sent by an authenticated user. This is due to insufficient validation of artifacts.
Severity
High
CVSSv3.1 Base Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
Product | Affected Version | Patched Version |
---|---|---|
Artifactory (7.x) | Earlier than 7.76.2 | 7.76.2 or later (SaaS) 7.77.3 or later (On-prem) |
Required Configuration for Exposure
This vulnerability affects all JFrog Artifactory deployments.
How to Fix
Cloud Environments: Affected Cloud environments have already been updated with a fixed version. No action is required for cloud instances.
Self Hosted Environments: To fix this issue, take the following action. Upgrade your version of Artifactory to one of the versions listed below:
Workarounds and Mitigations
No workarounds
Weakness Type
CWE-20: Improper Input validation
Acknowledgements
This issue was discovered and reported by Matthias Kaiser from Apple Information Security.
We Are Here For Your Questions (JFrog Support Team)
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.