Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 6.0.1
    • Fix Version/s: 6.1.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      We should validate the csrf header value.

       

      Description

      A hacker can create a maliciously crafted flash application to gain unauthorized admin access to Artifactory.

      When using Chrome, and opening the malicious flash application that redirecting to Artifactory, the browser includes the header:

      X-Request-With: [flash id and version]

      (read more here)

      CSRF protection in Artifactory doesn't validate the value of the header, and accepts every request with this header.

        Attachments

          Activity

            People

            • Assignee:
              tamirh Tamir Hadad
              Reporter:
              tamirh Tamir Hadad
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: