Artifactory Access Token

ID

artifactory_token

Severity

high

Vendor

JFrog

Family

API Token

Description

JFrog Artifactory is a Repository Manager for binary resources including libraries, remote artifacts and other third-party resources.

Artifactory Access Tokens is are scoped tokens with a lifetime and limited permissions, easier to revoke, that replace the (now deprecated) API Keys.

Access tokens allow authentication for REST API calls as an alternative to username+password, typically in a X-JFrog-Art header or through HTTP basic authentication.

To create an (scoped) access token, you may use an identity token to authenticate in either the JFrog CLI jf access-token-create or the ``

Access tokens have a finite lifetime (1 year by default, but this could be configured when creating the token) and could be easily deleted.

Security

If compromised, non-expired access tokens have the permissions granted to the owing user under the token’s scope. This could even provide administration rights, depending on the scope.

API clients with hardcoded tokens in CI/CD scripts are a common source of security issues.

Access tokens can be easily revoked or regenerated using the JFrog Access API.

Examples

The following code shows a hardcoded Artifactory access token (a JWT token):

export ARTIFACTORY_URL=http://myorg.jfrog.io
export ARTIFACTORY_TOKEN=eyJ2ZXIiOiIyIiwidHlwIj...pC9SeABYnyKg
bash

Mitigation / Fix

Follow your policy for handling leaked secrets. In this case, the access token should be

  1. Generate a new Scoped Token: Log into an administrative Artifactory account, then go to the Administration upper tab and click on User Management / Access Tokens in the left menu. Click on Generate Token and edit the token properties.

    Alternatively you may use the jf access-token-create --scope JFrog CLI command (you will need an administration identity token for the operation), or the Create Token API endpoint.

    If the access token is refreshable, you can refresh the token directly using the Refresh Token endpoint, and replace the compromised access token with the new returned by the api call. This is easier if you do want to remove the compromised token immediately and do not mind if some builds break while the token references are replaced.

  2. Replace the compromised access token with the new one, using a more secure alternative instead of hard-coding. The options are documented in How to Prevent Hard-Coded Secrets.

  3. When you are sure that all references to the compromised access token are replaced, you may delete the compromised token in the web UI, or alternatively run the Revoke token by value API endpoint.

  4. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. JFrog Artifactory provides access logs to check for suspicious activity during the exposure window.

    • Log into your Artifactory web UI.

    • Navigate to Administration tab, Monitoring in the left menu, then click Artifactory Logs.

  5. (Optionally) Remove the access token from the source code or committed configuration file. Rewriting git history is not recommended, once the compromised token has been renewed. Make sure that you configure leaked files in version control in the .gitignore file or equivalent.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API