CVE-2018-1000206 — Cross-Site Request Forgery in Artifactory

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 56.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jfrog Artifactory

Timeline

PublishedJul 13

Latest updateMay 14

Description

JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that can result in Classic CSRF attack allowing an attacker to perform actions as logged in user. This attack appear to be exploitable via The victim must run maliciously crafted flash component. This vulnerability appears to have been fixed in 6.1.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDjfrog/artifactory5.11.0 — 6.1.0

Patches

Patch: www.jfrog.com ↗Patch: www.jfrog.com ↗

🔴Vulnerability Details

GHSA

GHSA-hqm8-r6qj-h62q: JFrog Artifactory version since 5↗2022-05-14

▶

OSV

htslib vulnerabilities↗2021-03-15

▶

CVEList

CVE-2018-1000206: JFrog Artifactory version since 5↗2018-07-13

▶