Headline
CVE-2021-41834: CVE-2021-41834: Artifactory Broken Access Control on Copy Artifact - JFrog
JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.
****How to fix******Cloud Environments**
Affected Cloud environments have already been fortified with a fixed version. No action is required for cloud instances.
Self Hosted Environments
To fix this issue, there is required action.
Upgrade your version of Artifactory or Edge to one of the versions listed below:
****Workarounds and Mitigations****
There aren’t any suggested workarounds to this issue besides upgrading to a fixed version.
****Weakness Type****
CWE-284: Improper Access Control
****Acknowledgements****
Maxime Escourbiac and Maxence Schmitt at Michelin CERT.
****We Are Here For Your Questions (JFrog Support Team)****
If you have questions or concerns regarding this advisory, please raise a support request at JFrog support portal.
Related news
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.