An issue occurred in JFrog Artifactory 6.7.3.If the administrator account is locked in the Artifactory console, the administrator account is used by default to reset the administrator account password.This is only allowed from direct connections from the server, but if the HTTP X-Forwarded-For HTTP theme is provided in the request, unspecified users will be able to access manage by passing the official IP address. You can sign in with your original credentials. Access management accounts request authentication for all users, including management accounts, using the Artifactory API, granting them full control over all controlled history.
Impact
A lot of information disclosure can happen.It is possible to change certain system files or information, but the attacker has no control over what can be changed, or the scope of what the attacker can affect is restricted.There is a decrease in efficiency or a disruption in the availability of resources.
Mitigation / Precaution
- In order to patch this vulnerability, please install the official patch JFrog Artifactory made available for supported, vulnerable instances.We suggest that you update JFrog Artifactory to a version greater than 6.7.3 in order to fix this vulnerability.
