CVE-2021-45730 : What You Need to Know
Learn about CVE-2021-45730 affecting JFrog Artifactory prior to version 7.31.10, allowing unauthorized Repository Layout manipulation by Project Admins. Understand impacts and mitigation.
JFrog Artifactory prior to version 7.31.10 is vulnerable to Broken Access Control, allowing Project Admins unauthorized access to Repository Layout configuration.
Understanding CVE-2021-45730
What is CVE-2021-45730?
JFrog Artifactory prior to 7.31.10 is susceptible to Broken Access Control, enabling Project Admins to manipulate Repository Layouts beyond their permissions.
The Impact of CVE-2021-45730
This vulnerability has a CVSS base score of 6 (Medium severity), with high integrity impact and low confidentiality and availability impacts. Exploitation requires high privileges but has a low attack complexity and can lead to unauthorized access.
Technical Details of CVE-2021-45730
Vulnerability Description
The issue allows Project Admins in JFrog Artifactory to create, edit, and delete Repository Layouts, tasks reserved for Platform Administrators only.
Affected Systems and Versions
- Product: Artifactory
- Vendor: JFrog
- Version: 7.x (specifically less than 7.31.10)
Exploitation Mechanism
- Attack Vector: Network
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Mitigation and Prevention
Immediate Steps to Take
- Upgrade JFrog Artifactory to version 7.31.10 or higher.
- Restrict Project Admin privileges regarding Repository Layouts.
Long-Term Security Practices
- Regularly review and adjust user permissions to limit exposure.
- Conduct security training to raise awareness about access control risks.
Patching and Updates
- Stay informed about security updates and promptly apply patches released by JFrog.