Artifactory anonymous deploy

What is the "Artifactory anonymous deploy?"

The "Artifactory anonymous deploy" module is designed to detect misconfigurations in the Artifactory software. Artifactory is a repository manager that allows organizations to manage their software artifacts. This module focuses on the anonymous deployment feature of Artifactory.

This module has a severity level of high, indicating that it targets a potentially critical vulnerability.

The original author of this module is panch0r3d.

Impact

The "Artifactory anonymous deploy" module aims to identify potential security risks related to the anonymous deployment feature in Artifactory. If misconfigured, this feature could allow unauthorized users to deploy artifacts to the repository, potentially leading to unauthorized access or the introduction of malicious code.

How does the module work?

The "Artifactory anonymous deploy" module works by sending an HTTP GET request to the "/artifactory/ui/repodata?deploy=true" endpoint of the Artifactory instance. It then applies several matching conditions to determine if a misconfiguration exists.

Matching conditions:

- The response body must contain the word ""repoKey"". - The HTTP status code must be 200. - The response header must include the word "application/json".

If all of these conditions are met, the module will report a potential misconfiguration in the Artifactory anonymous deployment feature.

For more information, you can refer to the reference.

Metadata: max-request: 1