Fixed Security Vulnerabilities

Artifactory

CVEs Impacting Artifactory

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVE	Severity	Artifactory Fix Version	Fix Description
CVE-2021-43797	Medium	7.37.13	Upgraded `Netty` version 4.1.68 to version 4.1.71.
CVE-2021-3807	High	7.37.13	Upgraded `ansi-regex` version 4.1.0 and 3.0.0 to version 5.0.1 or 6.0.1.
CVE-2022-23806	Critical	7.37.13	Upgraded `Curve.IsOnCurve` in crypto/elliptic in Go prior to version 1.16.14 and 1.17.x prior 1.17.7 to version 1.17.7.
CVE-2021-38561	High	7.37.13	Upgraded `internal/language/parse.go` version 0.3.6 to version 0.3.7.
CVE-2021-41091	Medium	7.35.1	Upgraded to `docker v20.10.9` Upgraded `image-spec v.1.0.2`
CVE-2021-41090	Medium	7.35.1	Upgraded to `docker v20.10.9` Upgraded `image-spec v.1.0.2`
CVE-2021-22060	Medium	7.34.4	Upgraded `org.springframework:spring-core:5.3.12` to version 5.3.14.
CVE-2021-42550	Medium	7.31.10	Upgraded the `logback.xml` to version 1.2.9.
CVE-2017-9506	Medium	7.31.10	Upgraded the `IconUriServlet` of the Atlasssian OAuth Plugin to 2.0.4.
CVE-2015-2575	Medium	7.31.10	Upgraded mysql:mysql-connector-java:8.0.20 to 8.0.27.
CVE-2021-42340	High	7.31.10	Upgraded the Apache Tomcat version to: 9.0.48 -> 9.0.55 8.5.66 -> 8.5.73
CVE-2021-3765	High	7.31.10	Upgraded the validator version to 13.6.0.
CVE-2020-13949	High	7.31.10	Upgraded to `jaege`r 1.6.0 which uses `Thrift` 0.14.1
CVE-2021-35560 CVE-2021-35550 CVE-2021-35556 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603	High	7.31.10	Upgraded to Java version 1.11.0_13.
CVE-2021-36374	Medium	7.31.10	Upgraded Apache ant-1.9.15 to version ant-1.10.1.
CVE-2021-33037	Medium	7.27.3	Upgraded to Apache Tomcat version 8.5.68 or later.
CVE-2021-22147	High	7.27.3	Upgraded `org.elasticsearch:elasticsearch` to version 7.14.0.
CVE-2021-22148	High	7.27.3	Upgraded `org.elasticsearch:elasticsearch` to version 7.14.0.
CVE-2021-22149	High	7.27.3	Upgraded `org.elasticsearch:elasticsearch` to version 7.14.0.
CVE-2021-30129	High	7.25.4 (Cloud)	Upgraded `org.apache.sshd:sshd-core:2.6.0` to version v2.7.
CVE-2017-18640	High	7.25.4 (Cloud)	Upgraded the `Snakeyaml 1.23 XML Entity Expansion` to version 1.26.
CVE-2021-27568	Critical	7.25.4 (Cloud)	Upgraded `json-smart-1.3.1` to version 2.4.7.
CVE-2020-29582	Medium	7.25.4 (Cloud)	Updated to the latest release of `Koplin` from version 1.3.50 to 1.5.20.
CVE-2017-18640	High	7.25.4 (Cloud)	Updated `Snakeyaml version 1.23 XML Entity Expansion` to version 1.29.
CVE-2021-27568	Critical	7.25.4 (Cloud)	Updated `json-smart-1.3.1` to version 1. 2.4.7.
CVE-2021-26291	Normal	7.24.1	Upgraded to Maven version 3.8.1.
CVE-2021-13936	High	7.24.1	Upgraded the Apache Velocity engine versions to 2.2
CVE-2019-20104	High	7.24.1	Upgraded Crowd version to 3.7.2.
CVE-2018-9116	Critical	7.23.3	Upgraded to `wiremock` version to 2.28.0.
CVE-2021-29505	Critical	7.21.3	Upgraded `XStream` to version 1.4.17.
CVE-2021-26291	High	7.21.3	Upgraded Apache Maven to version 3.8.1.
CVE-2021-21290	Medium	7.21.3	Upgraded `netty-codec-http:4.1.53.final` to `4.1.59.Final`.
CVE-2020-17521	Medium	7.21.3	Upgraded `org.codehaus.groovy:groovy-all` from 2.4.16 to 2.5.14
CVE-2020-14340	Medium	7.21.3	Upgraded `org.jboss.xnio:xnio-nio` to version `3.8.4.Final.`
CVE-2021-22112	High	7.17.4	Upgraded to `Spring Security Web` version 5.4.5.
CVE-2021-25122	High	7.17.4	Upgraded to `Apache Tomcat` version 8.5.63.
CVE-2019-10219	Medium	7.15.3	Upgraded `org.hibernate:hibernate-validator` to version 6.0.18.
CVE-2019-17571	Medium	7.15.3	Upgraded `log4j-to-slf4j` and `log4j-api` upgraded to version 2.14.0.
CVE-2016-10750	High	7.11.1	Removed h`azelcast-3.6.1.jar` from Artifactory.
CVE-2017-7657	Medium	7.11.1,	Upgraded O`rg.eclipse.jetty:jetty-http` to version 9.4.11.v20180605.
CVE-2017-1000487	High	7.11.1	Upgraded `Plexus-utils` to version 3.3.0.
CVE-2020-25649	High	7.11.1	Upgraded `fasterxml.jackson.version` to version 2.11.3.
CVE-2019-17359	High	7.10.5	Upgraded `bcprov-jdk15on` to version 1.64.
CVE-2020-7226	High	7.10.5	Upgraded `artifactory.war` at `cryptacular-1.1.1.jar` to version 1.1.4.
CVE-2020-7692	Critical	7.10.2	Upgraded `google-oauth-client` library from version 1.27 to 1.31.
CVE-2019-12402	Medium	7.10.1	Upgraded `Commons-compress` lib was upgraded to 1.20.
CVE-2019-12402	Medium	7.10.1	Upgraded to `Commons-compress` lib was upgraded to 1.20.
CVE-2020-15586 golang.org/issue/34902	High	7.10.1	Upgraded to the latest version of `Go` 1.14.9.
CVE-2019-20104	High	7.10.1	Upgraded to `Crowd lib` was upgraded to 3.7.2.
CVE-2017-7957	High	7.10.1	Upgraded to `XStream-1.4.11.1`.
CVE-2016-3674	High	7.10.1	Upgraded to `XStream-1.4.11.1.`
CVE-2013-7285	Critical	7.10.1	Upgraded to `XStream-1.4.11.1`.
CVE-2020-8203	High	7.9.0	Upgraded `lodash` version to 4.17.20
CVE-2020-1745	Critical	7.9.0	`io.undertow:undertow-core / 2.0.15.Final` was upgraded to `2.0.30.final`
CVE-2017-15095	Critical	7.8.1	`fge:jackson-coreutils:jar` was upgraded to version 2.0
CVE-2017-17485	Critical	7.8.1	`fge:jackson-coreutils:jar` was upgraded to version 2.0
CVE-2017-7525	Critical	7.8.1	`fge:jackson-coreutils:jar` was upgraded to version 2.0
CVE-2020-13935	High	7.7.0	Apache Tomcat was upgraded to version 8.5.57
CVE-2020-13934	High	7.7.0	Apache Tomcat was upgraded to version 8.5.57
CVE-2020-11996	High	7.7.0	Apache Tomcat was upgraded to version 8.5.57
CVE-2020-28500 CVE-2020-8203 CVE-2021-23337	Critical	6.23.25	The npm lodash library was upgraded to version 4.17.21
CVE-2017-18214	High	6.23.25	npm moment.js library was upgraded to version 2.19.3
CVE-2017-18640	High	6.23.0	Upgraded `snakeyaml-1.23.jar` from version 1.26 to 1.27.
CVE-2020-7692	Critical	6.23.0	Upgraded `google-oauth-client` library from version 1.27 to 1.31.
CVE-2019-12402	Medium	6.23.0	Upgraded `Commons-compress` lib was upgraded to version 1.20.
CVE-2020-15586 and Go issue golang.org/issue/34902	High	6.23.0	Upgraded to the latest version of Go 1.14.9.
CVE-2019-20104	High	6.23.0	Upgraded to Crowd lib was upgraded to 3.7.2 version.
CVE-2018-1000206	High	6.1	Artifactory now validates the actual value of the `X-Request-With` header instead of checking the existence of it
CVE-2017-7525	Critical	6.1	FasterXML jackson-databind was upgraded to version 2.93 and 2.8.10 and includes a fix to prevent unauthenticated remote code execution.
CVE-2016-8745	High	5.2.0	`Apache Tomcat` was upgraded to version 8.0.41 that includes a fix for NIO HTTP connector vulnerability
CVE-2016-8735	Critical	5.0.0	`Apache Tomcat` was upgraded to version 8.0.39
CVE-2016-3092	High	5.0.0	`Apache Tomcat` was upgraded to version 8.0.39
CVE-2016-6501	Critical	4.11.0	Added the "Secure LDAP Search" in the Artifactory LDAP settings to protect against LDAP poisoning by filtering out users exposed to vulnerability
CVE-2014-3623	High	4.10.0	Upgraded the `wss4j` library to version 1.6.17 and `Apache CXF` to version 2.7.13
CVE-2015-0227	Medium	4.10.0	Upgraded the `wss4j` library to version 1.6.17 and `Apache CXF` to version 2.7.13
CVE-2014-0114	High	4.10.0	Upgraded `commons-beanutils` to version 1.9.2
CVE-2015-7940	Medium	4.8.1	Upgraded the relevant libraries that included the `Bouncy Castle Java` library as a dependency
CVE-2013-4517	Medium	4.8.0	Upgraded the relevant libraries that included the `Apache XML Security For Java` library as a dependency
CVE-2015-4852	High	4.5.2	Upgraded the `commons-collection` library to version 3.2.2
CVE-2015-3253	Critical	4.2.1	Upgraded the `Groovy-all` library to version 2.4.4
CVE-2014-0107	High	4.2.1	Upgraded the `Xalan` library to version 2.7.2
CVE-2014-3577	Medium	3.3.1	Upgraded the `HttpClient` library to version 4.3.5

Page Contents

Vulnerabilities Without a CVE Impacting Artifactory

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed.

Description	Severity	Artifactory Fix Version
Updated `jackson-dataformats-binary` to version `2.12.3`.	High	7.21.3
Excluded the Plexus-cipher library.	Medium	7.21.3
Upgraded `om.nimbusds:oauth2-oidc-sdk:6.14` to 9.9.3.	High	7.21.3
Upgraded to `wiremock-jre8` version 2.28.0.	High	7.21.3
Upgraded `maven-shared-utils:3.2.1` to version 334.	Critical	7.21.3
Under certain circumstances, authenticated users were able to: Retrieve environment information from Artifactory that normally required administrative rights. Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.	Critical	6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2
Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.	Critical	6.8.14, 6.9.3, 6.10.4
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.	Critical	5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9
A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.	High	6.5.13

CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVE	Severity	Reason
CVE-2018-10892	High	Does not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.
CVE-2020-0187	Medium	Does not affect Artifactory, since it only affects the Android Platform.
CVE-2020-0187	Medium	Does not affect Artifactory, since it only affects the Android Platform.
N/A	Medium	Does not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.
N/A	Medium	Does not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender }}
CVE-2017-7536	High	Does not affect Artifactory, since Artifactory is not using `org.hibernate_hibernate-validator`.
CVE-2020-9484	High	Does not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use.
CVE-2019-11888	High	This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version.
CVE-2019-14809	High	This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version.
CVE-2019-0232	High	The enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014	High	The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275	High	The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability
CVE-2018-8589	Medium	JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776	High	Does not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925	High	Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924	High	Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382	High	Does not affect Artifactory, since JFrog does not use BKS-V1 keystore.
CVE-2018-1260	High	Does not affect Artifactory, since JFrog does not use Spring Security Oauth.
CVE-2018-1259	High	Does not affect Artifactory, since JFrog does not use Spring Data Commons.
CVE-2017-5664	High	Does not affect Artifactory, since the default value for the `readOnly` property in the DefaultServlet is "`true" (readOnly=true)` in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648	Critical	Does not affect Artifactory, since the the `tomcat/webapps` folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647	High	Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638	Critical	Artifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097	High	For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords. Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
CVE-2008-4108	High	Does not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541	High	Does not affect Artifactory, since Artifactory uses Tar 1.30.1.

Insight

CVEs Impacting Insight

The following is a list of CVEs that were discovered to impact Insight and were fixed.

CVE	Severity	Insight Fix Version	Fix Description
CVE-2022-22968	High	1.10.2	`spring-bootcore`, has been upgraded from version 2.6.6 to version 2.6.7.
CVE-2020-36518	High	1.10.1	`jackson-databind`, has been upgraded to version 2.13.2.1.
CVE-2022-22965	Critical	1.8.1	`sprint-bootcore`, has been upgraded from version 2.6.2 to version 2.6.6.
CVE-2022-23181	High	1.7.0	`tomcat-embed-core`, has been upgraded to version 9.0.58.
CVE-2022-21724	Critical	1.6.2	`pgjdbc`, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-22569	High	1.6.2	The `protobuf-java` component has been upgraded to version 3.19.2.
CVE-2021-22060	Medium	1.6.0	Upgraded `spring-web` to version 5.3.14.
CVE-2021-42550	Medium	1.5.0	Upgraded `logback` version to `1.2.9`.
CVE-2021-31684	High	1.5.0	Upgraded `json-smart` to version 1.3.3.
CVE-2021-21290	Medium	1.4.0	Upgraded `netty-codec-http:4.1.53.final` to `4.1.59.Final`.
CVE-2021-22096	Medium	1.4.0	Upgraded `spring-web` to version 5.3.12.

CVEs Not Impacting Insight

CVE	Severity	Reason
CVE-2020-25649	High	Searchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability.

Distribution

CVEs Impacting Distribution

The following is a list of CVEs that were discovered to impact Distribution and were fixed.

CVE	Severity	Distribution Fix Version	Fix Description
CVE-2022-24785	High	2.12.3	Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2022-21724	Medium	2.12.0	`pgjdbc`, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-42550	Medium	2.11.0	Upgraded the `logback.xml` to version 1.2.9.

CVEs Not Impacting Distribution

The following is a list of CVEs that do not impact Distribution.

CVE	Severity	Reason
CVE-2021-21309	Critical	Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.

Mission Control

CVEs Impacting Mission Control

The following is a list of CVEs that were discovered to impact Mission Control and were fixed.

CVE	Severity	Mission Control Fix Version	Fix Description
CVE-2021-37136	High	4.7.15	Upgraded `netty-codec` to 4.1.68.Final.
CVE-2021-22149	High	4.7.14	Upgraded `Elasticsearch` to 7.14.0.
CVE-2021-22148	High	4.7.14	Upgraded `Elasticsearch` to 7.14.0.
CVE-2021-22147	Medium	4.7.14	Upgraded `Elasticsearch` to 7.14.0.
CVE-2021-31684	High	4.7.13	Upgraded `Apache HttpClient` to version 4.5.13.
CVE-2021-22112	High	4.7.13	Upgraded `spring-security-web` to version 5.4.4.
CVE-2020-13956	Medium	4.7.13	Upgraded `json-smart` to version 2.4.7.
CVE-2021-35517	High	4.7.11	Upgraded `common-compress` to version 1.2.1.
CVE-2021-27568	Critical	4.7.11	Upgraded `json-smart` to version 2.4.7.
CVE-2020-28052	High	4.7.11	Upgraded `bc-java` to version 1.6.7.

Vulnerabilities Without a CVE Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed.

Fix Description	Severity	Mission Control Fix Version
Updated netty-codec to version 4.1.66.Final.	Critical	4.7.11

Pipelines

CVEs Not Impacting Pipelines

The following is a list of CVEs that do not impact Pipelines.

CVE	Severity	Pipelines Fix Version	Reason
CVE-2021-23343	High	1.20.2	Does not affect Pipelines, since path-parse is not used by Pipelines.
CVE-2021-3918	Critical	1.20.2	Does not affect Pipelines. Though the vulnerable library `json-schema` is a sub-dependency of `request@ 2.88.2`, the vulnerable function `validate` is not called from `request`.
CVE-2021-23358	High	1.20.2	Does not affect Pipelines, since underscore@1.4.4 is a submodule of ssh-keygen and Pipelines is not calling the vulnerable template function.

Vulnerabilities Without a CVE Not Impacting Pipelines

The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines

Description	Severity	Pipelines Fix Version	Reason
Preventing remove-markdown RedDos	Medium	1.23.2	RedDos vulnerable code will run with a timeout
Prototype pollution flaw in clean-css 4.2.4	High	1.20.2	Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function
Prototype pollution flaw in node-forge 0.10.0	Critical		Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function.

Frontend

Vulnerabilities Without a CVE Not Impacting Frontend

The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend

Description	Severity	Reason
Prototype pollution flaw in node-forge 0.10.0	Critical	Does not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function.

Xray

CVEs Impacting Xray

The following is a list of CVEs that were discovered to impact Xray and were fixed.

CVE	Severity	Xray Fix Version	Fix Description
CVE-2022-27191	High	3.49.0	Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0
CVE-2022-24675	High	3.48.2	Upgraded Golang version to 1.17.9.
CVE-2022-24921	High	3.48.2	Upgraded Golang version to 1.17.9.
CVE-2021-43816	Critical	3.42.3	Upgraded Containerd version to 1.5.9
CVE-2021-44717	Medium	3.41.4	Upgraded Golang version to 1.17.5.
CVE-2021-44716	High	3.41.4	Upgraded Golang version to 1.17.5.
CVE-2021-41771	High	3.38.1	Upgraded Golang version to 1.17.3.
CVE-2021-33196	High	3.34.1	Upgraded Golang version to 1.15.13, 1.16.5.

Content

Space Tools