CVE-2024-4142 - Improper Input Validation in Artifactory Token Creation Flow

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE ID

Severity

CWE / Weakness Type

Date Published

Date Updated

CVE-2024-4142

Critical

CWE-20 Improper Input Validation

1 May 24

Description

An Improper input validation vulnerability was discovered in JFrog Artifactory. Due to this vulnerability, users with low privileges may gain administrative access to the system, an issue that could potentially lead to privilege escalation.

This issue can also be exploited in Artifactory platforms with anonymous access enabled.

Affected Products

Product

Affected Version

Patched Versions

Artifactory Self-Hosted

<7.55.17

<7.59.22

<7.63.21

<7.68.21

<7.71.21

<7.77.11

7.55.17

7.59.22

7.63.21

7.68.21

7.71.21

7.77.11

Artifactory Cloud

<7.84.6

7.84.6

How to Fix

  • Cloud environments: No action is required for Cloud environments: the affected environments have already been protected.

  • Self-Hosted environments: Update to one of the provided patched/ fixed versions listed above.

To apply the security fix, you must upgrade your version of JFrog Artifactory to one of the remediating versions.

To download and install remediating versions, click here. Please ensure that you select the correct patch for your current installation from the Product Version drop-down list.

For further details on how to upgrade to any of the remediating versions from your current installation, please refer to the JFrog Artifactory Upgrade Guide.

Acknowledgements

This issue was discovered and reported by Matthias Kaiser of Apple Information Security.