CVE-2024-2248 - JFrog Artifactory Header Injection

JFrog Release Information

ft:sourceType
Paligo

CVE Identifier

Severity

CWE / Weakness Type

Date Publishing

Date Updated

CVE-2024-2248

Medium

CWE-20 Exposure of Sensitive Information to an Unauthorized Actor

15 May 24

15 May 24

Description

A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user email.

Product

Affected Version

Patched Version

Artifactory SaaS

< 7.85.0

7.85.0

Artifactory Self-Hosted

< 7.84.7

7.84.7

How to Fix

  • Cloud Environments: JFrog Cloud environments are protected against this vulnerability with a deployed version containing the fix.

  • Self-Hosted Environments: To fix this issue, take the following action. Upgrade your version of Artifactory to one of the versions listed above.

Workarounds and Mitigations

No workarounds.

Acknowledgements

This issue was discovered and reported by the researcher Master Hackor via HackerOne.