Artifactory Identity Token

ID

artifactory_identity_token

Severity

critical

Vendor

JFrog

Family

Access Key

Description

JFrog Artifactory is a Repository Manager for binary resources including libraries, remote artifacts and other third-party resources.

Artifactory Access Tokens, also known as "Identity Tokens", allow identification to JFrog products' APIs as an alternative to username+password, typically in a X-JFrog-Art header or through HTTP basic authentication.

The user profile enables users to generate identity tokens. Any user can create a user identity token for themselves via the UI. Identity tokens are scoped tokens, which means that they provide limited and focused permissions, making them more secure and, therefore, preferable to the deprecated API keys. In addition, when a user is deleted/disabled, their tokens are also revoked.

Identity tokens have a finite lifetime (1 year by default) and could be easily deleted.

Security

If an identity token is leaked, the owing user can be easily impersonated. Using the access token api, an attacker can create access tokens with the right scope for performing operations on the JFrog platform. If the owing user is an administrator, the token gives the attacker full control of the JFrog / Artifactory platform.

Publishing components in internal repositories with malicious behavior could be used to launch a software supply chain attack.

Examples

The following code shows a hardcoded JFrog / Artifactory identity token.

export ARTIFACTORY_URL=http://.../artifactory
export ARTIFACTORY_TOKEN=cmVmdGtuOjAxO...U0xoeUw5

Mitigation / Fix

  1. Generate a new Artifactory Token: Log into the Artifactory account that owns the token, then go to the User profile (or go to https://ARTIFACTORY_URL/ui/user_profile) and click on Generate an Identity Token. This will be the new identity token.

  2. Replace any appearance of the compromised token, typically in scripts that use the identity token to create an ephemeral access token, with your new identity token. Do not hard-code again! Safer alternatives are documented in How to Prevent Hard-Coded Secrets.

  3. Delete the compromised token, by clicking on the

    1. Remove the Artifactory API key from the source code or committed configuration file.

    2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). The API key can be revoked / regenerated from the user profile or using the API.

    3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  1. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. JFrog Artifactory provides access logs to check for suspicious activity using leaked API keys.

Reference

https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API