A critical vulnerability identified as CVE-2024-6915 has been discovered in JFrog Artifactory, a widely used repository manager.
This flaw, categorized under CWE-20 (Improper Input Validation), allows attackers to poison artifact caches, potentially leading to severe security breaches.
The vulnerability has been marked as ‘Critical’ and was published and updated on August 5, 2024. The flaw affects multiple versions of JFrog Artifactory, specifically those below versions 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, and 7.55.18.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Affected Products
The following table outlines the affected versions and their corresponding patched versions:
| Product | Affected Version | Patched Version |
| Artifactory | < 7.90.6 | 7.90.6 |
| Artifactory | < 7.84.20 | 7.84.20 |
| Artifactory | < 7.77.14 | 7.77.14 |
| Artifactory | < 7.71.23 | 7.71.23 |
| Artifactory | < 7.68.22 | 7.68.22 |
| Artifactory | < 7.63.22 | 7.63.22 |
| Artifactory | < 7.59.23 | 7.59.23 |
| Artifactory | < 7.55.18 | 7.55.18 |
Cloud environments have already been updated with the necessary security controls, requiring no user action. However, cloud customers with hybrid deployments must upgrade their on-premise Edge instances.
To mitigate the risk, it is recommended to disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account.
Michael Stepankin (artsploit) from the GitHub Security Lab discovered and reported this critical issue. Stay tuned for more updates on this developing story.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access