JFrog Security Advisories

SUPPORT

JFrog takes the privacy and security of its customers very seriously and always strives to provide prompt notification and remediation of any vulnerabilities discovered on JFrog products. As a CVE Numbering Authority (CNA), JFrog assigns CVE identification numbers to newly discovered security vulnerabilities.

Severity	CVE	Summary	Product	Versions	Published	Updated
HIGH	CVE-2021-3860	JFrog Artifactory prior to version 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.	Artifactory	Versions prior to 7.25.4 Versions prior to 6.23.30	12/15/2021	12/15/2021
MEDIUM	CVE-2021-45074	JFrog Artifactory prior to7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users'OAuthtoken, which will force a reauthentication on an active session or in the following UI session.	Artifactory	Versions prior to 7.29.3 Versions prior to 6.23.38	03/02/2022	03/02/2022
LOW	CVE-2021-46270	JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation.	Artifactory	Versions prior to 7.31.10	03/02/2022	03/02/2022
HIGH	CVE-2022-0573	JFrog Artifactory prior to 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation, and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.	Artifactory	Versions prior to 7.36.1 Versions prior to 6.34.41	05/12/2022	05/12/2022
MEDIUM	CVE-2021-45730	JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.	Artifactory	Versions prior to 7.31.10	05/18/2022	05/18/2022
MEDIUM	CVE-2021-41834	JFrog Artifactory prior to versions 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user can use the copy function to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.	Artifactory	Versions prior to 7.28.0 Versions prior to 6.23.38	05/18/2022	05/18/2022
LOW	CVE-2021-23163	JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints.	Artifactory	Versions prior to 7.33.6 Versions prior to 6.23.38	07/05/2022	07/05/2022
MEDIUM	CVE-2021-46687	JFrog Artifactory prior to version 7.31.10and 6.23.38is vulnerable to Sensitive Data Exposure through the Project Administrator REST API.	Artifactory	Versions prior to 7.31.10 Versions prior to 6.23.38	07/05/2022	07/05/2022
MEDIUM	CVE-2021-45721	JFrog Artifactory prior to version 7.29.8 and 6.23.38is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in the Users REST API endpoint.	Artifactory	Versions prior to 7.29.8 Versions prior to 6.23.38	07/05/2022	07/05/2022
MEDIUM	CVE-2022-0668	JFrog Artifactory prior to versions 7.37.13 and 6.23.41. is vulnerable to Authentication Bypass, which can lead to Privilege Escalation when a specially crafted request is sent by an unauthenticated user.	Artifactory	Versions prior to 7.37.13 Versions prior to 6.23.41	01/02/2023	01/02/2023