Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >





Working with an older version? JFrog Artifactory 6.x | JFrog Xray 2.x | JFrog Mission Control 3.x | JFrog Distribution 1.x |


Skip to end of metadata
Go to start of metadata
CVE ID

Severity 

Date Published 

Date Updated 

CVE-2021-41834

MEDIUM

18/5/202218/5/2022

Description

JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.

Severity: Medium
CVSSv3 Score: 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

< 7.28.0

7.28.0

Artifactory (6.x)< 6.23.386.23.38

Required Configuration for Exposure

This vulnerability affects JFrog Artifactory deployments.

This vulnerability requires authenticated access to JFrog Artifactory and knowing a path of a repository or artifact that the user does not have access to.


How to fix

Cloud Environments

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments

To fix this issue, there is required action.

Upgrade your version of Artifactory or Edge to one of the versions listed below:

Product

Version

Link

Artifactory (7.x)

7.28.0

https://releases.jfrog.io

Artifactory (6.x)

6.23.38

https://releases.jfrog.io

Workarounds and Mitigations

There aren’t any suggested workarounds to this issue besides upgrading to a fixed version.

Weakness Type

CWE-284: Improper Access Control

Acknowledgements

Maxime Escourbiac and Maxence Schmitt at Michelin CERT.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.

Copyright © 2022 JFrog Ltd.