Artifactory API Key

ID

artifactory_apikey

Severity

high

Vendor

JFrog

Family

API Token

Description

JFrog Artifactory is a Repository Manager for binary resources including libraries, remote artifacts and other third-party resources.

Artifactory API Key allows authentication for REST API calls as an alternative to username+password, typically in a X-JFrog-Art header or through HTTP basic authentication.

Artifactory now allows a more robust access token, which is a scoped token with a lifetime and limited permissions, and easier to revoke.

JFrog is deprecating API Keys, and by the end of Q4 2024 they no longer will be available.

Security

Any leakage of the API Key allows access to the Artifactory REST API with the permissions of the owing user. API clients with hardcoded API key in CI/CD scripts are a common source of security issues.

Although API Keys are easy to create and use, they have some characteristics that make them less secure:

  • API Keys are retrievable – the keys are saved in the database and can be retrieved via REST API or the UI.

  • API Keys don’t have lifecycle management features – since API Keys are not created with an expiry date, and, by default, never expire, the user or Artifactory admin must manually revoke them. A single user can have a single active API Key at any moment – which means a single key needs to be shared with multiple clients. If it is revoked, it is revoked for all clients.

  • API Keys are not manageable – administrators can not monitor or manage a user’s API Keys.

As a result, JFrog decided to begin the process of deprecating the API Keys.

Examples

The following code shows a hardcoded Artifactory AKI Key, prefixed by AKC.

export ARTIFACTORY_URL=http://.../artifactory
export ARTIFACTORY_APIKEY=AKCp5budTFpbypB...8ksWGc9fM

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require rotating the key. To Rotate the Artifactory API key. log in to Artifactory, navigate to User Menu in the top-right corner, and select Edit Profile. Copy value of the compromised API Key for searching in your applications and services. Then click on the Regenerate icon. Copy the value for the new API Key.

    Alternatively, you may use REST API endpoints to revoke API Keys

  2. Replace legacy API keys with the new identity token + access token. If you insist in using API keys. replace the leaked api key with the new one, using a more secure alternative instead of hard-coding. The options are documented in How to Prevent Hard-Coded Secrets.

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. JFrog Artifactory only gives the ability to collect users using API keys.

  4. Remove the Artifactory API key from the source code or committed configuration file.

    You should consider any sensitive data in commits with secrets as compromised.

    Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  5. JFrog API Keys are deprecated. It could be a good moment to migrate API Key to the more robust Access Tokens for API authentication. For creating the temporary access tokens /(JWT tokens), you can Generate Identity Token, that could be used for creating ephemeral Access Tokens.

Reference