Responsible Disclosure: JFrog fixes vulnerability in Artifactory

We have recently discovered and reported a security vulnerability in JFrog’s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.

Artifacts are usually not manually deployed to the Artifactory, but by automatic build processes. With JFrog’s official plugin for Atlassian’s Bamboo continuous integration server, the developer can configure the deployment as an after-build task to be performed once a build succeeded. For this to work, one needs to the specify the credentials of an account with “deploy” privileges on the Artifactory. This combination of user name and password was, however, stored in plain text in the configuration of the build job. Every user with the privilege to configure the build job can obtain it by simply inspecting the HTML source of the build job’s configuration web page. Since a build job is usually not managed by one person alone but, e.g., by a build maintenance / system integration team, this vulnerability allowed everyone in the team to view the Artifactory credentials that have been entered. If the person who created the job put in his personal credentials, his colleagues could then impersonate him against the Artifactory.

Even worse, these hijacked accounts might not even have been restricted to the Artifactory. The JFrog Artifactory can be configured to use a central directory such as a Jira user directory or an LDAP server for authentication. Organizations use this feature to integrate the Artifactory into the organization-wide single-sign-on (SSO) system. This, however, means that the credentials at risk were SSO credentials. Attackers could then not only impersonate the user against the Artifactory, but against any other system or service in the organization. They could, for instance, log into machines, the internal wiki, or other resources.

JFrog has fixed the issue in Version 1.8.1 of the plugin.