AVID-2026-R1595

Description

JFrog Artifactory Cache Poisoning (CVE-2024-6915)

Details

JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning.

Reason for inclusion in AVID: CVE-2024-6915 describes a cache poisoning vulnerability in JFrog Artifactory due to improper input validation. Artifactory is a widely used artifact repository in software supply chains, including those used for AI/ML pipelines (dependency registries, containers, etc.). A successful cache poisoning could compromise the integrity of artifacts (models, dependencies, containers) distributed and consumed during building, training, deploying, or serving AI systems. Given this directly affects software supply chain components that general-purpose AI systems rely on, it qualifies as a security vulnerability impacting the AI supply chain. The report cites authoritative sources (NVD entry and vendor advisories) confirming the issue and its risk.

References

• NVD entry
• https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories

Affected or Relevant Artifacts

• Developer: JFrog
• Deployer: JFrog
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-08-05
• Version: 0.3.3
• AVID Entry