CVE Identifier | Severity | CWE Weakness Type | Date Published | Date Updated |
---|---|---|---|---|
Critical | August 5, 2024 | August 5, 2024 |
Description
JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, and 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to Cache Poisoning.
Affected Products
Product | Affected Version | Patched Version |
---|---|---|
Artifactory | < 7.90.6 | 7.90.6 |
Artifactory | < 7.84.20 | 7.84.20 |
Artifactory | < 7.77.14 | 7.77.14 |
Artifactory | < 7.71.23 | 7.71.23 |
Artifactory | < 7.68.22 | 7.68.22 |
Artifactory | < 7.63.22 | 7.63.22 |
Artifactory | < 7.59.23 | 7.59.23 |
Artifactory | < 7.55.18 | 7.55.18 |
How to Fix
Self Hosted: To fix this issue, upgrade using the security patch for your required Patched Version from the following location: https://jfrog.com/download-legacy/
Cloud:
Environments have already been updated to a fixed version containing additional security controls. No action is required for cloud instances
Cloud customers with Hybrid deployments where their Edge resides on-premise will need to upgrade their on-premise Edge instance
Workarounds and Mitigations
Disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account.
Acknowledgements
This issue was discovered and reported by Michael Stepankin (artsploit) from GitHub Security Lab.