Lucene search

JFROGCVELIST:CVE-2024-2248

HistoryMay 15, 2024 - 1:13 p.m.

CVE-2024-2248 JFrog Artifactory Header Injection

2024-05-1513:13:29

CWE-20

JFROG

www.cve.org

jfrog artifactory

header injection

vulnerability

account takeover

crafted url

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

AI Score

6.7

Confidence

High

EPSS

Percentile

9.0%

JSON

A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user’s account when clicking on a specially crafted URL sent to the victim’s user email.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Artifactory",
    "vendor": "JFrog",
    "versions": [
      {
        "lessThan": "7.85.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      },
      {
        "lessThan": "7.84.7",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

AI Score

6.7

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-2248