CVE-2021-45721 Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to XSS through the Users REST API endpoint.

CVE-2021-45721 Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to XSS through the Users REST API endpoint.

The XHR parameter is a special string that can be used to pass dynamic data to the request. When using XHR parameters, the request is sent to the server with the user’s session information. Thus, an attacker can inject malicious code into the server and get it executed by the user. When a user accesses the Users REST API endpoint, JFrog Artifactory will check if the user has permission to view the given resource. The following snippet shows an example of the Users REST API endpoint. https://jfrog-artifactory-host>/api/v1/rest/users/{id} An attacker can inject malicious code into the XHR parameter value to execute it in the context of the user’s session. For example, if the REST API endpoint looks like the following, then the attacker can inject the malicious code into the XHR parameter value: https://jfrog-artifactory-host>/api/v1/rest/users/?XHR=malicious code here> When a user accesses the Users REST API endpoint, JFrog Artifactory will check if the user has permission to view the given resource. The following snippet shows an example of the REST API endpoint. https://jfrog-artifactory-host>/api/v1/rest/users/{id}

CVE-2021-45722

An attacker can also use the XHR parameter to bypass JFrog Artifactory’s authorization check. When a user accesses the Users REST API endpoint, JFrog Artifactory will check if the user has permission to view the given resource. The following snippet shows an example of the REST API endpoint. https://jfrog-artifactory-host>/api/v1/rest/users/{id} An attacker can inject malicious code into the request value to bypass the authorization check and make the request successful. For example, if the REST API endpoint looks like the following, then an attacker can inject malicious code into request value: https://jfrog-artifactory-host>/api/v1/rest/users/?request=malicious code here>

Solution

: Disable the XHR parameter
To mitigate this vulnerability, disable the XHR parameter in REST API endpoints. This can be accomplished by configuring the endpoint to use GET instead of POST. As a result, if an attacker manages to inject malicious code into the request, it will not execute in the context of the user’s session.

CVE-2022-45722

The XHR parameter is a special string that can be used to pass dynamic data to the request. When using XHR parameters, the request is sent to the server with the user’s session information. Thus, an attacker can inject malicious code into the server and get it executed by the user. When JFrog Artifactory receives a request, it will parse it and check if the user has permission to view the given resource. The following snippet shows an example of parsing a request: https://jfrog-artifactory-host>/api/v1/rest/users?XHR=malicious code here>

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe