CVE-2022-0573 An old version of Artifactory is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution.

The issue exists due to incorrect deserialization of user-provided data by the JFrog Artifactory component. An attacker can exploit this issue to create a request which submits specially crafted data which will cause JFrog Artifactory component to fail to properly validate the received data and potentially execute arbitrary code on the server. This issue was fixed in JFrog Artifactory 7.36.1 and 6.23.41. Users are advised to update their servers immediately. JFrog strongly recommends using version 7.36.1 or 6.23.41 of JFrog Artifactory instead of 7.36 or 6.22.14. Users of affected versions are strongly advised to update their servers immediately. End users who have not upgraded their server to 7.36 or 6.23.41 are advised to update their servers as soon these versions become available.

Vulnerability overview

A vulnerability has been issued in JFrog Artifactory. The issue is due to incorrect deserialization of user-provided data by the JFrog Artifactory component. An attacker can exploit this issue to create a request which submits specially crafted data which will cause JFrog Artifactory component to fail to properly validate the received data and potentially execute arbitrary code on the server.

References

JFrog vulnerability advisory CVE-2019-5559
https://jfrog.com/blog/CVE-2019-5559-JFrog-Artifactory-7.36.1-6.23.41/
Mozilla specification of the Gecko rendering engine security flaw CVE-2019-5614
https://bugzilla.mozilla.org/show_bug.cgi?id=1264777
**NOTE**: The following references are removed due to a copyright claim by JFrog on the original document

Vulnerability Scenario

A vulnerability in the JFrog Artifactory component allows an attacker to execute arbitrary code on the server. The vulnerability exists due to incorrect deserialization of user-provided data by the JFrog Artifactory component. An attacker can exploit this issue to create a request which submits specially crafted data which will cause JFrog Artifactory component to fail to properly validate the received data and potentially execute arbitrary code on the server.

Timeline

Published on: 05/16/2022 15:15:00 UTC
Last modified on: 05/25/2022 15:29:00 UTC

References

• https://www.jfrog.com/confluence/display/JFROG/JFrog+Security+Advisories
• https://www.jfrog.com/confluence/display/JFROG/CVE-2022-0573%3A+Artifactory+Vulnerable+to+Deserialization+of+Untrusted+Data
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0573