CVE-2024-2247: JFrog Artifactory Cross-Site Scripting

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2024-2247

High

13 Mar 24

13 Mar 24

Description

JFrog Artifactory prior to version 7.77.7, is vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism.

Severity

High

Affected Products

Product

Affected Version

Patched Version

Artifactory Self-Hosted

< = 7.77.6

7.77.7

How to Fix

  • Cloud Environments: JFrog cloud environments are protected. No action is required for cloud instances.

  • Self Hosted Environments: Update to version 7.77.7

Workarounds and Mitigations

Customers can block the import of the vulnerable script by the browser, using a WAF / reverse proxy rule that blocks requests to the following HTTP path: /ui/externals/import-map-overrides/dist/import-map-overrides.js

Weakness Type

CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Acknowledgements

Reported by CaTz.

We are here for your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.