CVE-2021-45721 Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to XSS through the Users REST API endpoint.

The XHR parameter is a special string that can be used to pass dynamic data to the request. When using XHR parameters, the request is sent to the server with the user’s session information. Thus, an attacker can inject malicious code into the server and get it executed by the user. When a user accesses the Users REST API endpoint, JFrog Artifactory will check if the user has permission to view the given resource. The following snippet shows an example of the Users REST API endpoint. https://jfrog-artifactory-host>/api/v1/rest/users/{id} An attacker can inject malicious code into the XHR parameter value to execute it in the context of the user’s session. For example, if the REST API endpoint looks like the following, then the attacker can inject the malicious code into the XHR parameter value: https://jfrog-artifactory-host>/api/v1/rest/users/?XHR=malicious code here> When a user accesses the Users REST API endpoint, JFrog Artifactory will check if the user has permission to view the given resource. The following snippet shows an example of the REST API endpoint. https://jfrog-artifactory-host>/api/v1/rest/users/{id}

CVE-2021-45722

An attacker can also use the XHR parameter to bypass JFrog Artifactory’s authorization check. When a user accesses the Users REST API endpoint, JFrog Artifactory will check if the user has permission to view the given resource. The following snippet shows an example of the REST API endpoint. https://jfrog-artifactory-host>/api/v1/rest/users/{id} An attacker can inject malicious code into the request value to bypass the authorization check and make the request successful. For example, if the REST API endpoint looks like the following, then an attacker can inject malicious code into request value: https://jfrog-artifactory-host>/api/v1/rest/users/?request=malicious code here>

Solution

: Disable the XHR parameter
To mitigate this vulnerability, disable the XHR parameter in REST API endpoints. This can be accomplished by configuring the endpoint to use GET instead of POST. As a result, if an attacker manages to inject malicious code into the request, it will not execute in the context of the user’s session.

CVE-2022-45722

The XHR parameter is a special string that can be used to pass dynamic data to the request. When using XHR parameters, the request is sent to the server with the user’s session information. Thus, an attacker can inject malicious code into the server and get it executed by the user. When JFrog Artifactory receives a request, it will parse it and check if the user has permission to view the given resource. The following snippet shows an example of parsing a request: https://jfrog-artifactory-host>/api/v1/rest/users?XHR=malicious code here>

Timeline

Published on: 07/06/2022 10:15:00 UTC
Last modified on: 07/13/2022 14:03:00 UTC

References

• https://www.jfrog.com/confluence/display/JFROG/JFrog+Security+Advisories
• https://www.jfrog.com/confluence/display/JFROG/CVE-2021-45721%3A+Cross-Site+Script+%28XSS%29+on+User+REST+API
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45721