Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-14895

Using API Key with a wrong user exposes the correct one

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 5.4.6
    • Fix Version/s: 5.6.0
    • Component/s: API Key, REST API, Security
    • Labels:
      None

      Description

      API Key can be used as part of basic authentication instead of the password.

      When authenticating using the wrong username, but with an API Key that exists in Artifactory, Artifactory responds back to correct username of this API Key.

      e.g.:

      $ curl -u<FALSE_USER>:<API_KEY> http://localhost:8081/artifactory/api/system/ping
      

      This will return the following message: "Bad authentication Key apiKey=<API_KEY> for user <TRUE_USER>"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                aviz Avi Zaig (Inactive)
                Reporter:
                arielk Ariel Kabov
                Assigned QA:
                Anastasiya Muntyan
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: