CVE-2023-42662: Improper SSO Mechanism may lead to Exposure of Access Tokens

JFrog Release Information

ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2023-42662

CRITICAL

6 Mar 24

6 Mar 24

Description

JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are vulnerable to an issue whereby user interaction with specially crafted URLs could lead to exposure of user access tokens due to improper handling of the CLI / IDE browser based SSO integration.

Severity

CRITICAL

Affected Products

Product

Affected Versions

Patched Versions

Artifactory

  • 7.59.17 and lower

  • 7.63.17 and lower

  • 7.69.18 and lower

  • 7.71.7 and lower

  • 7.59.18 and higher

  • 7.63.18 and higher

  • 7.69.19 and higher

  • 7.71.8 and higher

How to Fix

Cloud Environments: Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments: Update to one of a fixed version

Workarounds and Mitigations

Block access to the CLI token exchange API endpoint: https://Artifactory-Host/access/api/v2/authentication/jfrog_client_login/token/*

Weakness Type

CWE-287: CWE-287 Improper Authentication

Acknowledgements

N/A

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.