Summary: | dev-util/artifactory-bin: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | holger, maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2022-03-02 23:43:21 UTC
CVE-2022-0573 (https://www.jfrog.com/confluence/display/JFROG/JFrog+Security+Advisories): https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0573%3A+Artifactory+Vulnerable+to+Deserialization+of+Untrusted+Data JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object. CVE-2021-45730 (https://www.jfrog.com/confluence/display/JFROG/CVE-2021-45730%3A+Artifactory+Broken+Access+Control+on+Repository+Layouts+Configuration): JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. CVE-2021-41834 (https://www.jfrog.com/confluence/display/JFROG/CVE-2021-41834%3A+Artifactory+Broken+Access+Control+on+Copy+Artifact): JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation. CVE-2021-45721 (https://www.jfrog.com/confluence/display/JFROG/CVE-2021-45721%3A+Cross-Site+Script+%28XSS%29+on+User+REST+API): JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in Users REST API endpoint. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.36.1 versions prior to 7.29.8; JFrog Artifactory versions before 6.23.41 versions prior to 6.23.38. CVE-2021-23163 (https://www.jfrog.com/confluence/display/JFROG/CVE-2021-23163%3A++Cross-Site+Request+Forgery+on+REST+using+Basic+Auth): JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.33.6 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x. CVE-2021-46687 (https://www.jfrog.com/confluence/display/JFROG/CVE-2021-46687%3A+Sensitive+data+exposure+on+proxy+endpoint+for+Project+Admin): JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable to Sensitive Data Exposure through the Project Administrator REST API. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.31.10 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x. CVE-2022-0668 (https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0668%3A+Artifactory+Authentication+Bypass): JFrog Artifactory prior to 7.37.13 is vulnerable to Authentication Bypass, which can lead to Privilege Escalation when a specially crafted request is sent by an unauthenticated user. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3ed4277075ca3068f3926490fefd39bcb2a3b81 commit d3ed4277075ca3068f3926490fefd39bcb2a3b81 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-01-08 17:36:22 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-08 17:36:50 +0000 profiles: last rite artifactory-bin Bug: https://bugs.gentoo.org/834501 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) I never knew that artifactory had a free-to-use OSS version for self-hosting and completely missed tha fcat that we even had an ebuild! This is great since the latest version uses & requires JDK-17 (yay) and that would mean I can finally retire my JDK-8-only Nexus-2.x installation. I'll see if I can get the ebuild updated to the latest version (7.49.3) and could then become proxy-maintainer, which shouldn't require much effort except for the occasional update. I'm currently preparing a GH PR to update to the last 6.x version (6.23.42, published 2022-04-14) which addresses the latest CVE and should provide immediate relief without requiring migration/updates etc. An update to 7.x will have to wait a bit longer since the upstream packaging has changed significantly and will require more complicated ebuild surgery. Sorry to say but after speding several days on this I'm throwing in the towel. Even just updating to the latest/last 6.x release is such a byzantine, fragile process (the existing ebuild does not work at all anymore) that I could get it barely working; on top of that the product itself is just terrible. Sorry. :( The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30de2e29401ee94f26cb08780d6ad7ed4f146dca commit 30de2e29401ee94f26cb08780d6ad7ed4f146dca Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2023-02-12 10:37:32 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2023-02-12 18:33:08 +0000 dev-util/artifactory-bin: treeclean Bug: https://bugs.gentoo.org/834501 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> dev-util/artifactory-bin/Manifest | 1 - .../artifactory-bin-6.3.3-r2.ebuild | 110 -------------- dev-util/artifactory-bin/files/artifactory.xml | 4 - dev-util/artifactory-bin/files/confd | 5 - dev-util/artifactory-bin/files/initd-r3 | 165 --------------------- dev-util/artifactory-bin/files/server.xml | 17 --- dev-util/artifactory-bin/metadata.xml | 5 - profiles/package.mask | 5 - 8 files changed, 312 deletions(-) All done, thanks! |