A critical vulnerability identified as CVE-2024-6915 has been discovered in JFrog Artifactory, a widely used repository manager.
This flaw, categorized under CWE-20 (Improper Input Validation), allows attackers to poison artifact caches, potentially leading to severe security breaches.
CVE-2024-6915: Cache Poisoning
The vulnerability has been marked as ‘Critical’ and was published and updated on August 5, 2024. The flaw affects multiple versions of JFrog Artifactory, specifically those below versions 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, and 7.55.18.
**How to Build a Security Framework With Limited Resources IT Security Team** ( **PDF** ) - **[Free Guide](https://go.cynet.com/security-framework-guide?utm_source=cyber_security_news&utm_medium=social&utm_campaign=Q3-sponsored-content)**
Affected Products
The following table outlines the affected versions and their corresponding patched versions:
Product Affected Version Patched Version Artifactory< 7.90.67.90.6Artifactory< 7.84.207.84.20Artifactory< 7.77.147.77.14Artifactory< 7.71.237.71.23Artifactory< 7.68.227.68.22Artifactory< 7.63.227.63.22Artifactory< 7.59.237.59.23Artifactory< 7.55.187.55.18
Cloud environments have already been updated with the necessary security controls, requiring no user action. However, cloud customers with hybrid deployments must upgrade their on-premise Edge instances.
To mitigate the risk, it is recommended to disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account.
Michael Stepankin (artsploit) from the GitHub Security Lab discovered and reported this critical issue. Stay tuned for more updates on this developing story.
