Artifactory
CVE-2024-3505
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration. This does not affect JFrog cloud deployments.
AnalysisAI
JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration. This does not affect JFrog cloud deployments. Affected products include: Jfrog Artifactory.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Artifactory
View allAn issue was discovered in JFrog Artifactory 6.7.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely e
In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modif
JFrog Artifactory version since 5.11 contains a Cross ite Request Forgery (CSRF) vulnerability in UI rest endpoints that
JFrog Artifactory before 4.11 allows remote attackers to execute arbitrary code via an LDAP attribute with a crafted ser
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead
JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged
A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods a
A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestCo
Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins
JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability
JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, whi
Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configurat
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today