First published: Mon Dec 20 2021(Updated: )
JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.
Credit: reefs@jfrog.com reefs@jfrog.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jfrog Artifactory | <6.23.30 | |
Jfrog Artifactory | >=7.11.0<7.11.8 | |
Jfrog Artifactory | >=7.12.0<7.12.10 | |
Jfrog Artifactory | >=7.17.0<7.17.14 | |
Jfrog Artifactory | >=7.18.0<7.18.11 | |
Jfrog Artifactory | >=7.19.0<7.19.12 | |
Jfrog Artifactory | >=7.21.0<7.21.14 | |
Jfrog Artifactory | >=7.23.0<7.23.8 | |
Jfrog Artifactory | >=7.24.0<7.24.7 | |
Jfrog Artifactory | >=7.25.0<7.25.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3860 is a vulnerability in JFrog Artifactory before 7.25.4 (Enterprise+ deployments only) that allows a low privileged authenticated user to perform blind SQL injection.
CVE-2021-3860 has a severity rating of 8.8 (high).
JFrog Artifactory versions up to and including 6.23.30, 7.11.0 to 7.11.8, 7.12.0 to 7.12.10, 7.17.0 to 7.17.14, 7.18.0 to 7.18.11, 7.19.0 to 7.19.12, 7.21.0 to 7.21.14, 7.23.0 to 7.23.8, 7.24.0 to 7.24.7, and 7.25.0 to 7.25.4 are affected by CVE-2021-3860.
To fix CVE-2021-3860, it is recommended to upgrade JFrog Artifactory to version 7.25.4 or later.
More information about CVE-2021-3860 can be found at the following link: [CVE-2021-3860: Artifactory Low Privileged Blind SQL Injection](https://www.jfrog.com/confluence/display/JFROG/CVE-2021-3860%3A+Artifactory+Low+Privileged+Blind+SQL+Injection).