JFrog Artifactory is a universal artifact repository manager that stores and manages binary artifacts used in software development, including libraries, dependencies, and build outputs. It supports multiple package formats and integrates with CI/CD pipelines, enabling teams to manage and distribute software components efficiently and securely.
While Artifactory streamlines DevOps workflows, misconfigurations or outdated versions can expose sensitive artifacts, credentials, and internal resources, creating serious security risks for organizations.
Organisations often rely on automated scanning to assess their external security posture, and INFO-level findings are frequently dismissed without further consideration. This behaviour is reinforced by most security frameworks, which can give security professionals the impression that such findings are safe to ignore. In reality, this misconception can create blind spots that lead to serious security issues and downstream complications.
While Artifactory streamlines DevOps workflows, misconfigurations or outdated versions can expose sensitive artifacts, credentials, and internal resources, creating serious security risks for organizations.
| Repository Type | Description | Security Considerations |
|---|---|---|
| Local | Hosted internally, stores proprietary builds and artifacts | Ensure strict access controls; primary focus for sensitive data assessment |
| Remote | Caches external repositories (Maven Central, npm, Docker Hub) | Monitor for outdated or malicious upstream artifacts |
| Virtual | Aggregates multiple local and remote repositories under one endpoint | Simplifies access; ensure internal and external sources are secured |
Summary: Local repositories hold sensitive internal artifacts, remote repositories cache external dependencies, and virtual repositories unify access. Proper access controls are essential for security.
Versions of JFrog Artifactory prior to 7.84.3 allowed anonymous access to download artifacts by default. This means that unless anonymous access was explicitly disabled, anyone could retrieve stored files without authentication, potentially exposing sensitive internal resources.
Starting from Artifactory 7.84.3, the anonymous user is removed from the Anything and Any Remote permissions by default, mitigating the risk of unauthorized downloads JFrog Documentation.
Executive Insight: Unauthorized access to internal artifacts can lead to data breaches, exposure of API keys, credentials, or proprietary code, and downstream compromise of services.
A Shodan search identified 322 JFrog Artifactory instances, of which 116 are publicly accessible, representing a significant security risk if proper controls are not in place.
| Version Series | Number of Servers | % of Total |
|---|---|---|
| 6.x | 345 | 73% |
| 5.x | 78 | 16% |
| 4.x | 33 | 7% |
| 3.x | 6 | 1% |
| 2.x | 2 | <1% |
Insight: The predominance of version 6.x indicates most deployments are recent and benefit from newer features. Older versions (2.x-5.x) may be exposed to unpatched vulnerabilities, highlighting the importance of timely updates and version management.
Artifactory repositories may store artifacts containing sensitive information such as database credentials, API keys, and keystore passwords. Development builds are as sensitive as traditional file servers.
Key artifact types include:
| File Type | Examples of Sensitive Content |
|---|---|
.war, .jar, .ear |
Configuration files, credentials, cloud tokens |
.class |
Decompiled Java bytecode may reveal embedded secrets |
.properties, .yaml |
API keys, database credentials, service account keys |
.sql, .pem, .jks |
Database dumps, private keys |
Scripts (.sh, .bat) |
Automation credentials |
Source code (.java, .js, .php) |
Hardcoded API keys, secrets |
Executive Insight: Even seemingly low-risk files (logs, spreadsheets, text) can contain embedded secrets. Public exposure of these repositories could allow attackers to compromise internal services, cloud accounts, and databases.
Network vulnerability scans may report informational findings such as "Artifactory Detect", indicating the presence of Artifactory instances. Although scanners often include a plugin specifically for "JFrog Artifactory Anonymous Deployment Detected", in one particular scan this plugin did not trigger, likely due to detection limitations. These findings are typically classified as INFO and can be easily overlooked.
Security Insight: Even if the anonymous deployment plugin does not trigger, the presence of an Artifactory instance warrants further investigation. Manual verification is recommended to confirm access controls, detect exposed artifacts, and uncover credentials or configuration issues that automated scans may miss.
Auditing Artifactory repositories involves crawling, parsing, downloading, and searching for secrets. Since local repositories contain internal builds, they are the primary focus.
Artifactory servers often host numerous repositories, versions, and packages, making it challenging to manually analyze, download, or parse all artifacts. Automated and selective approaches are therefore necessary to efficiently assess potential risks.
To optimize efforts:
These scripts provide a complete workflow for auditing Artifactory servers:
| Script Filename | Description | Purpose |
|---|---|---|
artifactory_repo_scanner.py |
Enumerate Artifactory repos and cache latest versions | Recursively enumerate all Artifactory repositories and files, maintain a durable cache of latest artifact versions, and optionally use Maven metadata for accurate versioning. |
download_loot.py |
Multi-threaded file downloader with chunking support | Concurrently downloads files from a list of URLs, supports multi-connection chunked downloads for servers with range requests, enforces maximum file size limits, and preserves directory structure. |
analyze_loot.py |
Scan archives for sensitive data | Recursively analyzes archive files (.zip, .jar, .war) for sensitive information such as passwords, tokens, API keys, and database URLs. Supports regex-based scanning or TruffleHog, optional decompilation of Java .class files via CFR, temporary extraction management, and outputs results in TXT, JSON, or CSV formats. |
The following is a sample output from running the artifactory_repo_scanner.py script. IP addresses and domain names have been anonymized for security and privacy reasons:
% python3.11 artifactory_repo_scanner.py -h
usage: artifactory_repo_scanner.py [-h] (-u URL | -U URL_LIST) -o OUTPUT [-f] [--type {LOCAL,REMOTE,VIRTUAL}] [--timeout TIMEOUT] [--retries RETRIES] [--list-repos-only] [--repo REPO]
[--threads THREADS] [--fresh] [--resume] [--latest-only] [--use-maven-metadata] [--cache-ttl CACHE_TTL]
JFrog Artifactory recursive file lister (durable resume + latest cache)
options:
-h, --help show this help message and exit
-u URL, --url URL Base URL of the Artifactory instance
-U URL_LIST, --url-list URL_LIST
File containing list of URLs (one per line)
-o OUTPUT, --output OUTPUT
Output file to save results
-f, --fingerprint Only fingerprint the server
--type {LOCAL,REMOTE,VIRTUAL}
Only scan repos of this type
--timeout TIMEOUT Request timeout in seconds
--retries RETRIES Number of retries for failed requests
--list-repos-only List repos but not files
--repo REPO Specify a single repo to list files from
--threads THREADS Number of concurrent threads for URLs
--fresh Start fresh (delete DB)
--resume Resume from existing DB (default)
--latest-only Only list latest version per artifact
--use-maven-metadata When --latest-only, consult maven-metadata.xml for Maven repos (cached in DB)
--cache-ttl CACHE_TTL
Seconds before cached latest_versions entries expire (0 = no expiry)
% python3.11 artifactory_repo_scanner.py -U public_artifactory_servers.txt --timeout 60 --type LOCAL -o public_repo_files_listing.txt --threads 15
[+] http://XXX.XXX.XXX.XXX:8080 (Version: 5.8.4)
[+] http://XXX.XXX.XXX.XXX:80 (Version: 6.11.1)
[http://XXX.XXX.XXX.XXX:8080] Found repo: libs-android (Type: LOCAL, Package: unknown) (listed=0)
[http://XXX.XXX.XXX.XXX:8080] Found repo: libs-android-test (Type: LOCAL, Package: unknown) (listed=0)
[http://XXX.XXX.XXX.XXX:8080] Found repo: libs-release-local (Type: LOCAL, Package: unknown) (listed=0)
[http://XXX.XXX.XXX.XXX:8080] Found repo: libs-release-local-maven (Type: LOCAL, Package: unknown) (listed=0)
[*] Scanning repo: libs-android
[~] libs-android: pending folders=1, files so far=0
[+] https://XXX.XXX.XXX.XXX (Version: 6.8.7)
[https://XXX.XXX.XXX.XXX] Found repo: generic-local (Type: LOCAL, Package: generic) (listed=0)
[https://XXX.XXX.XXX.XXX] Found repo: gradle-dev-local (Type: LOCAL, Package: gradle) (listed=0)
[https://XXX.XXX.XXX.XXX] Found repo: gradle-release-local (Type: LOCAL, Package: gradle) (listed=0)
[https://XXX.XXX.XXX.XXX] Found repo: libs-gtrans-release (Type: LOCAL, Package: maven) (listed=0)
[https://XXX.XXX.XXX.XXX] Found repo: libs-release-local (Type: LOCAL, Package: maven) (listed=0)
[https://XXX.XXX.XXX.XXX] Found repo: libs-snapshot-local (Type: LOCAL, Package: maven) (listed=0)
JFrog Artifactory is critical for modern DevOps workflows, but misconfigurations and outdated versions pose serious security risks.
By combining technical assessment with executive awareness, organizations can:
Call to Action: Regularly audit Artifactory repositories, remove unnecessary anonymous access, and monitor public exposure to safeguard sensitive assets.