Lucene search

K
vulnrichmentJFROGVULNRICHMENT:CVE-2023-42662
HistoryMar 07, 2024 - 8:29 a.m.

CVE-2023-42662 JFrog Artifactory Improper SSO Mechanism may lead to Exposure of Access Tokens

2024-03-0708:29:03
CWE-287
JFROG
github.com
2
jfrog artifactory
sso
exposure

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are vulnerable to an issue whereby user interaction with specially crafted URLs could lead to exposure of user access tokens due to improper handling of the CLI / IDE browser based SSO integration.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:*:*:*"
    ],
    "vendor": "jfrog",
    "product": "artifactory",
    "versions": [
      {
        "status": "affected",
        "version": "7.59",
        "lessThan": "7.59.18",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "7.59",
        "lessThan": "7.63.18",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "7.59",
        "lessThan": "7.68.19",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "7.59",
        "lessThan": "7.71.8",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

Related for VULNRICHMENT:CVE-2023-42662