JFrog < 7.10.1 Multiple Vulnerabilities

critical Nessus Plugin ID 144307
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Determines if the remote JFrog Artifactory installation is affected by multiple vulnerabilities

Description

According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 7.10.1. It is, therefore, affected by multiple vulnerabilities:

- Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. (CVE-2013-7285)

- Multiple XML external entity (XXE) vulnerabilities in the Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver, StandardStaxDriver, and WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. (CVE-2016-3674)

- XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML call. (CVE-2017-7957)

- The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402)

- The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. (CVE-2019-20104)

- Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. (CVE-2020-15586)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to JFrog Artifactory 7.10.1, or later.

See Also

http://www.nessus.org/u?8dc55d3d

Plugin Details

Severity: Critical

ID: 144307

File Name: jfrog_artifactory_7_10_1.nasl

Version: 1.4

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 12/16/2020

Updated: 3/12/2021

Dependencies: jfrog_artifactory_win_installed.nbin, jfrog_artifactory_nix_installed.nbin, os_fingerprint.nasl

Risk Information

CVSS Score Source: CVE-2013-7285

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:jfrog:artifactory

Required KB Items: installed_sw/Artifactory

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/11/2020

Vulnerability Publication Date: 5/15/2019

Reference Information

CVE: CVE-2013-7285, CVE-2016-3674, CVE-2017-7957, CVE-2019-12402, CVE-2019-20104, CVE-2020-15586