{"id":1766,"date":"2015-08-12T08:27:38","date_gmt":"2015-08-12T06:27:38","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?p=1766"},"modified":"2015-08-12T08:27:38","modified_gmt":"2015-08-12T06:27:38","slug":"vulnerability-in-jfrog-artifactory","status":"publish","type":"post","link":"https:\/\/blogs.uni-paderborn.de\/sse\/2015\/08\/12\/vulnerability-in-jfrog-artifactory\/","title":{"rendered":"Responsible Disclosure: JFrog fixes vulnerability in Artifactory"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1766 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1766')){$('.twoclick_social_bookmarks_post_1766').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/2015\\\/08\\\/12\\\/vulnerability-in-jfrog-artifactory\\\/\",\"post_id\":1766,\"post_title_referrer_track\":\"Responsible+Disclosure%3A+JFrog+fixes+vulnerability+in+Artifactory\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>We have recently discovered\u00a0and reported a security vulnerability in JFrog&#8217;s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials for accessing the repository, but under some circumstances to the company-wide single-sign-on (SSO) system. In this worst case, attackers could access arbitrary systems with the identity of the victim.<\/p>\n<p><!--more--><\/p>\n<p>Artifacts\u00a0are usually not manually deployed to the Artifactory, but\u00a0by\u00a0automatic build processes.\u00a0With JFrog&#8217;s official plugin for Atlassian&#8217;s Bamboo continuous integration server, the developer can configure the deployment as an after-build task to be performed once a build succeeded. For this to work, one needs to the specify the credentials of an account with &#8220;deploy&#8221; privileges on the Artifactory. This combination of user name and password was, however, stored in plain text in the configuration of the build job. Every user with the privilege to configure the build job can obtain it by simply inspecting the HTML source of the build job&#8217;s configuration web page. Since a build job is usually not managed by one person alone but, e.g., by a build maintenance \/ system integration team, this vulnerability allowed everyone in the team to view the Artifactory credentials that have been entered. If the person who created the job put in his personal credentials, his colleagues could then impersonate him against the Artifactory.<\/p>\n<p>Even worse, these hijacked accounts might not even have been restricted to the Artifactory. The JFrog Artifactory can be configured to use a central directory such as a Jira user directory or an LDAP server for authentication. Organizations use this feature to integrate the Artifactory into the organization-wide single-sign-on (SSO) system. This, however, means that the credentials at risk were SSO credentials. Attackers could then not only impersonate the user against the Artifactory, but against any other system or service in the organization. They could, for instance, log into machines, the internal wiki, or other resources.<\/p>\n<p>JFrog has fixed the issue in Version 1.8.1 of the plugin.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have recently discovered\u00a0and reported a security vulnerability in JFrog&#8217;s Artifactory Pro software. The Artifactory is a product used to manage build artifacts and dependencies in a central enterprise repository. Due to the vulnerability, attackers could not only gain credentials &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/2015\/08\/12\/vulnerability-in-jfrog-artifactory\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6601,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1766","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6601"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=1766"}],"version-history":[{"count":0,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1766\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=1766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/categories?post=1766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/tags?post=1766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}