“Playing Leapfrog” Default Password Usage Allows for Jfrog Artifactory Account Compromise

Jfrog Artifactory

Jfrog Artifactory is a DevOps solution that aims to provide automation throughout an application delivery process and its goal is to improve productivity. It boasts many useful features for the deployment of applications and can be integrated with a client’s cloud infrastructure.

However, a vulnerability exists where administrator accounts do not require a password to be changed. Not only is this poor password policy, but it can allow for network-based attackers to compromise the Jfrog Artifactory. The issue affects Jfrog Artifactory versions 6.17.0 and below.

This vulnerability is trivial to exploit. However, if the default password is still set an attacker can login and seize control of the service.

The remediation

Whilst a patch is not currently available, end-users of Jfrog Artifactory can manually change administrator and user account passwords. Do ensure an appropriate password policy is in use and passwords should be changed regularly. Additionally, multi-factor authentication should be in place to mitigate against this issue.

Source: NVD

Jfrog Artifactory

Risk Crew