This flaw, categorized under CWE-20 (Improper Input Validation), allows attackers to poison artifact caches, potentially leading to severe security breaches.
The vulnerability has been marked as ‘Critical’ and was published and updated on August 5, 2024. The flaw affects multiple versions of JFrog Artifactory, specifically those below versions 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, and 7.55.18.
Affected Products
The following table outlines the affected versions and their corresponding patched versions:
Product | Affected Version | Patched Version |
Artifactory | < 7.90.6 | 7.90.6 |
Artifactory | < 7.84.20 | 7.84.20 |
Artifactory | < 7.77.14 | 7.77.14 |
Artifactory | < 7.71.23 | 7.71.23 |
Artifactory | < 7.68.22 | 7.68.22 |
Artifactory | < 7.63.22 | 7.63.22 |
Artifactory | < 7.59.23 | 7.59.23 |
Artifactory | < 7.55.18 | 7.55.18 |
Cloud environments have already been updated with the necessary security controls, requiring no user action. However, cloud customers with hybrid deployments must upgrade their on-premise Edge instances.
To mitigate the risk, it is recommended to disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account.