Please consider updating your browser. Some parts of the website may not function as intended.

“Playing Leapfrog” Default Password Usage Allows for Jfrog Artifactory Account Compromise

Jfrog Artifactory

Jfrog Artifactory is a DevOps solution that aims to provide automation throughout an application delivery process and its goal is to improve productivity. It boasts many useful features for the deployment of applications and can be integrated with a client’s cloud infrastructure.

However, a vulnerability exists where administrator accounts do not require a password to be changed. Not only is this poor password policy, but it can allow for network-based attackers to compromise the Jfrog Artifactory. The issue affects Jfrog Artifactory versions 6.17.0 and below.

This vulnerability is trivial to exploit. However, if the default password is still set an attacker can login and seize control of the service.

The remediation

Whilst a patch is not currently available, end-users of Jfrog Artifactory can manually change administrator and user account passwords. Do ensure an appropriate password policy is in use and passwords should be changed regularly. Additionally, multi-factor authentication should be in place to mitigate against this issue.

Source: NVD

Jfrog Artifactory

Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!