Vulnerability Report for Artifactory v7.68.21 - CVE-2023-44487 & CVE-2023-4911

[SiddharamAlagi]

We are currently using JFrog Artifactory version 7.68.21 and have identified the following vulnerabilities:

CVE-2023-44487 - This vulnerability has been reported in our environment as a potential security issue.
CVE-2023-4911 - This vulnerability is also being flagged in our current version.
We would like to confirm if these issues have been fixed in newer versions and request guidance on how we can safely upgrade to a version where these vulnerabilities are resolved. Based on our research, we believe that 7.98.8 or later should address these vulnerabilities, but would appreciate your confirmation.

Impact: As these vulnerabilities pose security risks, we need to take immediate action to ensure our environment is secure. Please provide the appropriate guidance for remediation.

Current Version:

Artifactory version: 7.68.21
Requested Action:

Confirmation if upgrading to version 7.98.8 will resolve the issues.
Any other necessary steps for patching these vulnerabilities.
Additional Information: If there are specific patches or versions that address these vulnerabilities, kindly share the details.

Thank you for your assistance.

[SiddharamAlagi]

We are awaiting your response.

[vasukinjfrog]

Hi @SiddharamAlagi

The vulnerability CVE-2023-44487 is under CVEs Not Impacting Artifactory and the CVE-2023-4911 is fixed in releases later to that of 7.68.21, so please do exercise a staged upgrade on a non-production environment (as a best practice) and post upgrade verification, roll to production environments with 7.98 series

[SiddharamAlagi]

Thank you for your help. After upgrading JFrog Artifactory to version 7.98.8, all vulnerabilities have been fixed.