Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-4892

Malicious user content may be used for cross-site scripting

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.5.1.1
    • Fix Version/s: 2.5.2
    • Component/s: Downloader, Web UI
    • Labels:
      None

      Description

      To avoid potential XSS attacks utilizing browsable user content:

      1. All content requested from Artifactory should be downloaded as an attachment rather than rendered.
      2. Javadoc browsing (archive content browsing) should be off by default. It can be enabled with the caveat that admins must take measurements to make sure repository content is moderated so that security can not be compromised by malicious content.

        Attachments

          Activity

            People

            • Assignee:
              yossis Yossi Shaul
              Reporter:
              yoavl Yoav Landman
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: