CVE-2024-6915 - Vulnerability Details - OpenCVE

JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

JFrog

Artifactory

unaffected

Version	Status	Constraints
`0`	affected	< 7.90.6
`0`	affected	< 7.84.20
`0`	affected	< 7.77.14
`0`	affected	< 7.71.23
`0`	affected	< 7.68.22
`0`	affected	< 7.63.22
`0`	affected	< 7.59.23
`0`	affected	< 7.55.18

No data.

No data.

No data.

Subscriptions

Vendors	Products
Jfrog Subscribe	Artifactory Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-47902	JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: JFROG

Published: 2024-08-05T19:34:31.571Z

Updated: 2024-08-06T14:01:18.510Z

Reserved: 2024-07-19T10:25:52.696Z

Link: CVE-2024-6915

Vulnrichment

Updated: 2024-08-06T13:56:31.079Z

NVD

Status : Awaiting Analysis

Published: 2024-08-05T20:15:36.927

Modified: 2024-08-06T16:30:24.547

Link: CVE-2024-6915

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6915", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2024-07-19T10:25:52.696Z", "datePublished": "2024-08-05T19:34:31.571Z", "dateUpdated": "2024-08-06T14:01:18.510Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Artifactory", "vendor": "JFrog", "versions": [{"lessThan": "7.90.6", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.84.20", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.77.14", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.71.23", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.68.22", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.63.22", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.59.23", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "7.55.18", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Michael Stepankin (artsploit) from GitHub Security Lab"}], "datePublic": "2024-08-05T18:24:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.</p>"}], "value": "JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning."}], "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2024-08-05T19:34:31.571Z"}, "references": [{"url": "https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories"}], "source": {"discovery": "EXTERNAL"}, "title": "JFrog Artifactory Cache Poisoning", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "jfrog", "product": "artifactory", "cpes": ["cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.90.6", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.84.20", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.77.14", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.71.23", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.68.22", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.63.22", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.59.23", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "7.55.18", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T13:54:56.350517Z", "id": "CVE-2024-6915", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T14:01:18.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6915", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-06T13:54:56.350517Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*"], "vendor": "jfrog", "product": "artifactory", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "7.90.6"}, {"status": "affected", "version": "0", "lessThan": "7.84.20", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.77.14", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.71.23", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.68.22", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.63.22", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.59.23", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.55.18", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T13:56:31.079Z"}}], "cna": {"title": "JFrog Artifactory Cache Poisoning", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Michael Stepankin (artsploit) from GitHub Security Lab"}], "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "JFrog", "product": "Artifactory", "versions": [{"status": "affected", "version": "0", "lessThan": "7.90.6", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.84.20", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.77.14", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.71.23", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.68.22", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.63.22", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.59.23", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "7.55.18", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2024-08-05T18:24:00.000Z", "references": [{"url": "https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.", "supportingMedia": [{"type": "text/html", "value": "<p>JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2024-08-05T19:34:31.571Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6915", "state": "PUBLISHED", "dateUpdated": "2024-08-06T14:01:18.510Z", "dateReserved": "2024-07-19T10:25:52.696Z", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "datePublished": "2024-08-05T19:34:31.571Z", "assignerShortName": "JFROG"}, "dataVersion": "5.1"}