CVE-2021-46270: Artifactory Project Admin Repository Name Disclosure

JFrog Release Information

ft:sourceType
Paligo

CVE ID

Severity

Date Published

Date Updated

CVE-2021-46270

LOW

03/02/2022

03/02/2022

Description

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin user is able to list all available repository names due to insufficient permission validation.

Severity: LOW

CVSSv3.1 Base Score:2.7AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Affected Products

Product

Affected Versions

Patched Versions

Artifactory (7.x)

< 7.31.10

7.31.10

Required Configuration for Exposure

This vulnerability affects JFrog Artifactory deployments.

This issue requires authenticated access to JFrog Artifactory and Project Admin permissions.

How to fix

Cloud Environments

Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.

Self Hosted Environments

To fix this issue, there is required action.

Upgrade your Artifactory version to one of the versions listed below:

Product

Version

Link

Artifactory (7.x)

7.31.10

https://releases.jfrog.io

Workarounds and Mitigations

There aren’t any suggested workarounds to this issue besides upgrading to a fixed version.

Weakness Type

CWE-284: Improper Access Control

Acknowledgements

Maxime Escourbiac and Maxence Schmitt at Michelin CERT.

We Are Here For Your Questions (JFrog Support Team)

If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.