CVE-2023-42662: 
Artifactory vulnerability analysis and mitigation

JFrog Artifactory versions 7.59 and above, but below 7.59.18, 7.63.18, 7.68.19, 7.71.8 are affected by a critical security vulnerability identified as CVE-2023-42662. The vulnerability was disclosed on March 7, 2024, and involves improper handling of the CLI/IDE browser-based SSO integration that could lead to exposure of user access tokens (NVD, SecurityOnline).

The vulnerability has been assigned a Critical CVSS v3.1 base score of 9.3, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. The flaw is categorized under CWE-287 (Improper Authentication) and specifically compromises Artifactory's Single Sign-On (SSO) feature through specially crafted URLs (NVD).

If successfully exploited, this vulnerability allows attackers to obtain user access tokens, which could lead to unauthorized access and potential impersonation of legitimate users within the Artifactory environment. The exposure of access tokens could give attackers significant control over the affected systems (SecurityOnline).

JFrog has released patches to address this vulnerability. Organizations are advised to upgrade to the fixed versions: 7.59.18, 7.63.18, 7.68.19, or 7.71.8. As a temporary mitigation measure, organizations can block access to the CLI token exchange API endpoint: https://Artifactory-Host/access/api/v2/authentication/jfrogclientlogin/token/* (SecurityOnline).