Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ansible/artifactory] JA-7492- Fixed a security issue whereby, interacting with specially c… #356

Merged
merged 4 commits into from
Dec 21, 2023

Conversation

bbaassssiiee
Copy link
Contributor

@bbaassssiiee bbaassssiiee commented Dec 18, 2023

…rafted URLs could lead to exposure of sensitive information.

PR Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • Title of the PR starts with installer/product name (e.g. [ansible/artifactory])
  • CHANGELOG.md updated
  • Variables and other changes are documented in the README.md

What this PR does / why we need it:

Below Information is specifically for the Artifactory Version 7.59.9 and above:

The security of your data is the highest priority for JFrog. As such, and in the spirit of open communication, we are writing to inform you of a newly-discovered security vulnerability that affects JFrog Artifactory.

Description

Due to this vulnerability, in some circumstances, user interaction with specially-crafted URLs could lead to data exposure unless corrective action is taken.

For JFrog Self-hosted installations

Versions affected
JFrog Artifactory versions 7.59 and above.

Remediation
The JFrog team has taken immediate action and released fixes for the affected JFrog Artifactory self-hosted versions with the following patches:
7.59.18, 7.63.18, 7.68.19, 7.71.8

JIRA Issue: JA-7492- Fixed a security issue whereby, interacting with specially crafted URLs could lead to exposure of sensitive information.

To fix this issue, you must upgrade your version of JFrog Artifactory to one of the remediating versions.

This PR also includes a fix for #357

Special notes for your reviewer:
Anuraj Nair is in on this one.

@bbaassssiiee bbaassssiiee marked this pull request as draft December 19, 2023 08:55
@bbaassssiiee bbaassssiiee marked this pull request as ready for review December 19, 2023 09:53
@chukka chukka changed the base branch from master to jp-10.16.4 December 21, 2023 14:17
@chukka chukka merged commit 506510c into jfrog:jp-10.16.4 Dec 21, 2023
1 check passed
chukka added a commit that referenced this pull request Dec 21, 2023
* [ansible/artifactory] JA-7492- Fixed a security issue whereby, interacting with specially c… (#356)

* JA-7492- Fixed a security issue whereby, interacting with specially crafted URLs could lead to exposure of sensitive information.

* Version 7.71.8 of Artifactory

* Determine the running_version and compare to desired artifactory_version

* compare stdout wihtout newline. changed_when: false for read operation.

* [ansible] JFrog Platform 10.16.4 release

---------

Co-authored-by: Bas <[email protected]>
@bbaassssiiee bbaassssiiee deleted the hotfix/JA-7492 branch January 5, 2024 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants