JFrog takes the privacy and security of its customers very seriously and always strives to provide prompt notification and remediation of any vulnerabilities discovered on JFrog products. As a CVE Numbering Authority (CNA), JFrog assigns CVE identification numbers to newly discovered security vulnerabilities.
Severity | CVE | Summary | Product | Versions | Published | Updated |
|---|---|---|---|---|---|---|
Medium | JFrog Artifactory prior to version 7.66.0, is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body. | Artifactory |
| 10/04/2023 | 10/04/2023 | |
MEDIUM | JFrog Artifactory prior to versions 7.37.13 and 6.23.41. is vulnerable to Authentication Bypass, which can lead to Privilege Escalation when a specially crafted request is sent by an unauthenticated user. | Artifactory |
| 01/02/2023 | 01/02/2023 | |
MEDIUM | CVE-2021-45721 | JFrog Artifactory prior to version 7.29.8 and 6.23.38is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in the Users REST API endpoint. | Artifactory |
| 07/05/2022 | 07/05/2022 |
MEDIUM | CVE-2021-46687 | JFrog Artifactory prior to version 7.31.10and 6.23.38is vulnerable to Sensitive Data Exposure through the Project Administrator REST API. | Artifactory |
| 07/05/2022 | 07/05/2022 |
LOW | CVE-2021-23163 | JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. | Artifactory |
| 07/05/2022 | 07/05/2022 |
MEDIUM | CVE-2021-41834 | JFrog Artifactory prior to versions 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user can use the copy function to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation. | Artifactory |
| 05/18/2022 | 05/18/2022 |
MEDIUM | CVE-2021-45730 | JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. | Artifactory | Versions prior to 7.31.10 | 05/18/2022 | 05/18/2022 |
HIGH | CVE-2022-0573 | JFrog Artifactory prior to 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation, and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object. | Artifactory |
| 05/12/2022 | 05/12/2022 |
LOW | CVE-2021-46270 | JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation. | Artifactory |
| 03/02/2022 | 03/02/2022 |
MEDIUM | CVE-2021-45074 | JFrog Artifactory prior to7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users'OAuthtoken, which will force a reauthentication on an active session or in the following UI session. | Artifactory |
| 03/02/2022 | 03/02/2022 |
HIGH | CVE-2021-3860 | JFrog Artifactory prior to version 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query. | Artifactory |
| 12/15/2021 | 12/15/2021 |