CVE-2024-3505

JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration. This does not affect JFrog cloud deployments.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories	Vendor Advisory
https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*

History

01 Apr 2025, 13:59

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
First Time		Jfrog artifactory Jfrog
References	~~() https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories -~~	() https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories - Vendor Advisory
CPE		cpe:2.3:a:jfrog:artifactory::::::-::*

21 Nov 2024, 09:29

Type	Values Removed	Values Added
References	~~() https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories -~~	() https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories -

15 Apr 2024, 13:15

Type	Values Removed	Values Added
Summary		(es) Las versiones autohospedadas de JFrog Artifactory inferiores a 7.77.3 son vulnerables a la divulgación de información confidencial mediante la cual un usuario autenticado con pocos privilegios puede leer la configuración del proxy. Esto no afecta las implementaciones en la nube de JFrog.

15 Apr 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-15 08:15

Updated : 2025-04-01 13:59

NVD link : CVE-2024-3505

Mitre link : CVE-2024-3505

CVE.ORG link : CVE-2024-3505

JSON object : View

Products Affected

jfrog

artifactory

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2024-3505", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "reefs@jfrog.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-04-15T08:15:18.180", "references": [{"url": "https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories", "tags": ["Vendor Advisory"], "source": "reefs@jfrog.com"}, {"url": "https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "reefs@jfrog.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "JFrog Artifactory Self-Hosted versions below 7.77.3, are vulnerable to sensitive information disclosure whereby a low-privileged authenticated user can read the proxy configuration.\nThis does not affect JFrog cloud deployments."}, {"lang": "es", "value": "Las versiones autohospedadas de JFrog Artifactory inferiores a 7.77.3 son vulnerables a la divulgaci\u00f3n de informaci\u00f3n confidencial mediante la cual un usuario autenticado con pocos privilegios puede leer la configuraci\u00f3n del proxy. Esto no afecta las implementaciones en la nube de JFrog."}], "lastModified": "2025-04-01T13:59:28.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jfrog:artifactory:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "4C1DE6A6-89C3-4E1F-A90D-CBEE0B9FB10B", "versionEndExcluding": "7.77.3"}], "operator": "OR"}]}], "sourceIdentifier": "reefs@jfrog.com"}