Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-26942

Security Hardening of Repository Replication Settings

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.33.6
    • Fix Version/s: None
    • Component/s: Security, Web UI
    • Environment:

      Production and Dev

      Description

      Info duplicated in support ticket 200917
      And this is for Artifactory Enterprise Version 7.33.12

      Description of Issue:

      When modifying replication configurations (Scenarios listed below), an attacker can change the remote URL Artifactory believes it should be communicating with. The attacker can then “test” the configuration, which will cause a connection to be sent to the new URL under the attacker’s control. This connection continues to use the configured authentication, and does not require the attacker to verify knowledge of the credential being sent.

       

      Scenario's

      UI Security hardening of replication settings for the following scenarios:

      • Replication between multiple Artifactory instances
        • These replication connections are authenticated, so Artifactory must store the credentials for future authentication, which are accessible in the UI.
        • (Administration > Repositories > {TargetLocalRepo} > Replications > "Add Replication" or edit existing).
      • Remote connections to enable remote repositories
        • These are repositories in Artifactory which effectively act as a proxy or a local cache. When they receive requests, these requests are forwarded to a remote server, such as PyPI, Docker Hub, or NPM. Some of these requests require authentication, so Artifactory must store the credentials for applicable remote repositories.

      Ask

      • A measure to further secure these settings such as where the password must be re-entered before modifying/testing replication.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            tre.robinson Tre
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: