CVE Identifier | Severity | CWE / Weakness Type | Date Publishing | Date Updated |
|---|---|---|---|---|
CVE-2024-2248 | Medium | CWE-20 Exposure of Sensitive Information to an Unauthorized Actor | 15 May 24 | 15 May 24 |
Description
A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user email.
Affected Products
Product | Affected Version | Patched Version |
|---|---|---|
Artifactory SaaS | < 7.85.0 | 7.85.0 |
Artifactory Self-Hosted | < 7.84.7 | 7.84.7 |
How to Fix
Cloud Environments: JFrog Cloud environments are protected against this vulnerability with a deployed version containing the fix.
Self-Hosted Environments: To fix this issue, take the following action. Upgrade your version of Artifactory to one of the versions listed above.
Workarounds and Mitigations
No workarounds.
Acknowledgements
This issue was discovered and reported by the researcher Master Hackor via HackerOne.