CVE-2021-3860: SQL Injection
First published: Mon Dec 20 2021(Updated: )
JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.
Credit: reefs@jfrog.com reefs@jfrog.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jfrog Artifactory | <6.23.30 | |
| Jfrog Artifactory | >=7.11.0<7.11.8 | |
| Jfrog Artifactory | >=7.12.0<7.12.10 | |
| Jfrog Artifactory | >=7.17.0<7.17.14 | |
| Jfrog Artifactory | >=7.18.0<7.18.11 | |
| Jfrog Artifactory | >=7.19.0<7.19.12 | |
| Jfrog Artifactory | >=7.21.0<7.21.14 | |
| Jfrog Artifactory | >=7.23.0<7.23.8 | |
| Jfrog Artifactory | >=7.24.0<7.24.7 | |
| Jfrog Artifactory | >=7.25.0<7.25.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-3860?
CVE-2021-3860 is a vulnerability in JFrog Artifactory before 7.25.4 (Enterprise+ deployments only) that allows a low privileged authenticated user to perform blind SQL injection.
How severe is CVE-2021-3860?
CVE-2021-3860 has a severity rating of 8.8 (high).
Which versions of JFrog Artifactory are affected by CVE-2021-3860?
JFrog Artifactory versions up to and including 6.23.30, 7.11.0 to 7.11.8, 7.12.0 to 7.12.10, 7.17.0 to 7.17.14, 7.18.0 to 7.18.11, 7.19.0 to 7.19.12, 7.21.0 to 7.21.14, 7.23.0 to 7.23.8, 7.24.0 to 7.24.7, and 7.25.0 to 7.25.4 are affected by CVE-2021-3860.
How can I fix CVE-2021-3860?
To fix CVE-2021-3860, it is recommended to upgrade JFrog Artifactory to version 7.25.4 or later.
Where can I find more information about CVE-2021-3860?
More information about CVE-2021-3860 can be found at the following link: [CVE-2021-3860: Artifactory Low Privileged Blind SQL Injection](https://www.jfrog.com/confluence/display/JFROG/CVE-2021-3860%3A+Artifactory+Low+Privileged+Blind+SQL+Injection).
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/author
- agent/event
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/jfrog
- canonical/jfrog artifactory
- version/jfrog artifactory/7.11.0
- version/jfrog artifactory/7.12.0
- version/jfrog artifactory/7.17.0
- version/jfrog artifactory/7.18.0
- version/jfrog artifactory/7.19.0
- version/jfrog artifactory/7.21.0
- version/jfrog artifactory/7.23.0
- version/jfrog artifactory/7.24.0
- version/jfrog artifactory/7.25.0