JFrog Help Center

Our new portal is coming soon!
Documentation + Knowledge Base





JFrog Help Center - A new knowledge experience is coming your way soon!



CVE ID

Severity 

Date Published 

Date Updated 

CVE-2021-23163

LOW

07/05/202207/05/2022

Description

JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. 

Severity: LOW

CVSSv3.1 Score: 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

< 7.33.6

7.33.6

Artifactory (6.x)

  < 6.23.38

6.23.38

Required Configuration for Exposure

This vulnerability affects JFrog Artifactory deployments.

This issue requires a user to  enter their credentials in a www-authenticate negotiation, or have accessed some of the Artifactory REST APIs using basic credentials in the URL. (user:pass@artifactory-domain).



How to fix

Cloud Environments

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments

To fix this issue, there is required action.

Upgrade your version of Artifactory or Edge to one of the versions listed below:

Product

Version

Link

Artifactory (7.x)

7.33.6 and above

https://releases.jfrog.io

Artifactory (6.x)

6.23.38 and above

https://releases.jfrog.io


Workarounds and Mitigations

There aren’t any suggested workarounds to this issue besides upgrading to a fixed version.


Weakness Type

CWE-352: Cross-Site Request Forgery (CSRF)


Acknowledgements

This issue was discovered and reported by Maxime Escourbiac and Maxence Schmitt at Michelin CERT.


We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.

Copyright © 2023 JFrog Ltd.