JFrog Artifactory repository manager vulnerability allows cache poisoning attack
Take action: If you are running JFrog Artifactory on-premise, disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account. Then proceed to patch your instances. If you can't disable the permissions, do the patch ASAP.
Learn More
A critical vulnerability, tracked as CVE-2024-6915 (CVSS score 9.3), has been identified in JFrog Artifactory, a widely used repository manager.
The vulnerability is classified under CWE-20 (Improper Input Validation) and enables attackers to poison artifact caches, injecting malicious code into the repository. The vulnerability affects multiple versions of JFrog Artifactory:
- Versions below 7.90.6
- Versions below 7.84.20
- Versions below 7.77.14
- Versions below 7.71.23
- Versions below 7.68.22
- Versions below 7.63.22
- Versions below 7.59.23
- Versions below 7.55.18
Cloud environments of JFrog Artifactory have already been updated with the necessary security controls, so no action is required from cloud-only users.
- Version 7.90.6
- Version 7.84.20
- Version 7.77.14
- Version 7.71.23
- Version 7.68.22
- Version 7.63.22
- Version 7.59.23
- Version 7.55.18
As a mitigating measure, users should:
- Disable anonymous access
- Remove Deploy/Cache permissions for remote repositories for the Anonymous account
