How to fix
Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.
Self Hosted EnvironmentsTo fix this issue, there is required action.
Upgrade your Artifactory version to one of the versions listed below:
Latest 6.23.x version
Workarounds and Mitigations
You can mitigate the impact of this issue by following best practices and disabling anonymous access to the JFrog Platform. Please review the best practices for disabling anonymous access in the JFrog Knowledge Base.
Anonymous Access is disabled by default for new Artifactory and Edge installations starting from versions 6.12.0 and 7.0.0.
CWE-502: Deserialization of Untrusted Data
This issue was discovered and reported by Matthias Kaiser and Jonni Passki of Apple Information Security.
We Are Here For Your Questions (JFrog Support Team)
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.