GHSL-2024-160: Cache poisoning in JFrog Artifactory - CVE-2024-6915

Coordinated Disclosure Timeline

• 2024-07-29: Reported to JFrog via the website form.
• 2024-08-05: Fixed implemented in version 7.90.6, advisory published by JFrog.
• 2024-08-23: GHSL-2024-160 advisory published with omitted details.

Summary

JFrog Artifactory is affected by an improper input validation vulnerability that allows artifact’s cache poisoning. This vulnerability only affects Artifactory instances that have at least one proxy repository.

Project

JFrog Artifactory OSS & Pro

Tested Version

oss: v7.77.6 pro: v7.91.2 (latest cloud version)

Details

Artifact’s cache poisoning (GHSL-2024-160)

Due to the criticality of the issue, we will provide the full technical details at a later date.

CVE

• CVE-2024-6915

Credit

This issue was discovered and reported by GHSL team member @artsploit (Michael Stepankin).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-160 in any communication regarding this issue.