CVE-2024-6915 - Cache Poisoning

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

CVE Identifier

Severity

CWE Weakness Type

Date Published

Date Updated

CVE-2024-6915

Critical

CWE-20

August 5, 2024

August 5, 2024

Description

JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, and 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to Cache Poisoning.

Affected Products

Product

Affected Version

Patched Version

Artifactory

< 7.90.6

7.90.6

Artifactory

< 7.84.20

7.84.20

Artifactory

< 7.77.14

7.77.14

Artifactory

< 7.71.23

7.71.23

Artifactory

< 7.68.22

7.68.22

Artifactory

< 7.63.22

7.63.22

Artifactory

< 7.59.23

7.59.23

Artifactory

< 7.55.18

7.55.18

How to Fix

  • Self Hosted: To fix this issue, upgrade using the security patch for your required Patched Version from the following location: https://jfrog.com/download-legacy/

  • Cloud:

    • Environments have already been updated to a fixed version containing additional security controls. No action is required for cloud instances

    • Cloud customers with Hybrid deployments where their Edge resides on-premise will need to upgrade their on-premise Edge instance

Workarounds and Mitigations

Disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account.

Acknowledgements

This issue was discovered and reported by Michael Stepankin (artsploit) from GitHub Security Lab.