CVE-2024-6915 (CVSS 9.3): JFrog Artifactory Flaw Exposes Software Supply Chains to Cache Poisoning
JFrog, a leading provider of software artifact management solutions, has issued a critical security advisory for its Artifactory platform. The vulnerability, identified as CVE-2024-6915 (CVSS 9.3), affects multiple versions of JFrog Artifactory and could allow attackers to poison artifact caches, potentially compromising the integrity of software deployed from these repositories.
Cache Poisoning: A Stealthy Threat to the Software Supply Chain
Cache poisoning is a sophisticated attack where malicious actors manipulate the cached versions of software artifacts. When developers or automated systems fetch artifacts from the repository, they unknowingly receive the tainted version, introducing vulnerabilities or backdoors into their software. This can have far-reaching consequences, compromising applications and potentially leading to data breaches or system takeovers.
Who’s Affected and How to Fix
The CVE-2024-6915 vulnerability affects a wide range of JFrog Artifactory versions, including those used in both self-hosted and cloud environments.
| Product | Affected Version | Patched Version |
|---|---|---|
| Artifactory | < 7.90.6 | 7.90.6 |
| Artifactory | < 7.84.20 | 7.84.20 |
| Artifactory | < 7.77.14 | 7.77.14 |
| Artifactory | < 7.71.23 | 7.71.23 |
| Artifactory | < 7.68.22 | 7.68.22 |
| Artifactory | < 7.63.22 | 7.63.22 |
| Artifactory | < 7.59.23 | 7.59.23 |
| Artifactory | < 7.55.18 | 7.55.18 |
Self-hosted Artifactory users are urged to apply the security patches available from JFrog immediately. Cloud instances have already been updated by JFrog, but customers with hybrid deployments where their Edge node resides on-premises will need to upgrade their Edge instances.
As a temporary mitigation for self-hosted users who cannot immediately upgrade, JFrog recommends disabling anonymous access or removing Deploy/Cache permissions for remote repositories for the Anonymous account.
JFrog acknowledges and thanks Michael Stepankin (artsploit) from GitHub Security Lab for discovering and responsibly disclosing this vulnerability.
