JFrog Help Center

Our new portal is coming soon!
Documentation + Knowledge Base





JFrog Help Center - A new knowledge experience is coming your way soon!


Skip to end of metadata
Go to start of metadata

Artifactory

CVEs Impacting Artifactory

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVESeverity
Artifactory Fix Version
Fix Description

CVE-2022-38751

CVE-2022-38752

Medium7.52.0Upgraded SnakeYAML to version 1.31.
CVE-2022-32213Critical7.41.7Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.41.7Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.41.7Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.41.7Upgraded Node.js to version 16.16.0.

CVE-2021-22573

High7.41.4

Upgraded the google-oauth-client to version 1.33.3.

 CVE-2022-32212

Critical7.39.10Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical7.39.10 Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.39.10Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.39.10Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.39.10 Upgraded Node.js to version 16.16.0.

CVE-2022-32212

Critical7.38.16Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical7.38.16Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.38.16 Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.38.16 Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.38.16 Upgraded Node.js to version 16.16.0.

CVE-2022-32212

Critical7.37.17Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical7.37.17Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.37.17 Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.37.18 Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.37.17 Upgraded Node.js to version 16.16.0.
CVE-2021-38561High7.37.13

Upgraded internal/language/parse.go version 0.3.6 to version 0.3.7.

CVE-2021-41091

Medium7.35.1Upgraded to docker v20.10.9.
Upgraded image-spec v.1.0.2.

CVE-2021-3765

High7.31.10

Upgraded the validator version to 13.6.0.

CVE-2020-29582

Medium7.25.4
(Cloud)		Updated to the latest release of Koplin from version 1.3.50 to 1.5.20.

CVE-2019-20104

High7.24.1

Upgraded Crowd version to 3.7.2.

CVE-2020-14340

Medium7.21.3Upgraded org.jboss.xnio:xnio-nio to version 3.8.4.Final.

CVE-2021-25122

High7.17.4

Upgraded to Apache Tomcat version 8.5.63.

CVE-2019-10219

Medium7.15.3

Upgraded org.hibernate:hibernate-validator to version 6.0.18.

CVE-2017-18214High6.23.25npm moment.js library was upgraded to version 2.19.3.
CVE-2017-18640High6.23.0Upgraded snakeyaml-1.23.jar from version 1.26 to 1.27. 
CVE-2020-7692Critical6.23.0Upgraded google-oauth-client library from version 1.27 to 1.31.

CVE-2019-12402 

Medium6.23.0Upgraded Commons-compress lib was upgraded to version 1.20. 
CVE-2020-15586 and Go issue golang.org/issue/34902High6.23.0Upgraded to the latest version of Go 1.14.9. 
CVE-2019-20104High6.23.0Upgraded Crowd lib to 3.7.2 version. 
CVE-2018-1000206High6.1Artifactory now validates the actual value of the X-Request-With header instead of checking the existence of it.
Page Contents

Vulnerabilities Without a CVE Impacting Artifactory

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed. 

DescriptionSeverityArtifactory Fix Version
Updated jackson-dataformats-binary to version 2.12.3.High7.21.3
Excluded the Plexus-cipher library.Medium7.21.3
Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3.High7.21.3
Upgraded to wiremock-jre8 version 2.28.0.High

7.21.3

Upgraded maven-shared-utils:3.2.1 to version 334.Critical7.21.3
Under certain circumstances, authenticated users were able to:
  • Retrieve environment information from Artifactory that normally required administrative rights.
  • Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.
Critical

6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2

Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.Critical6.8.14, 6.9.3, 6.10.4
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.Critical

  • 5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5

  • 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9

A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.High6.5.13

CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVESeverityArtifactory Fix VersionReason
CVE-2022-45047Critical7.52.0Does not affect Artifactory, since it only affects Apache MINA SSHD.

CVE-2022-25857

CVE-2022-1471

High7.52.0Does not affect Artifactory, since it only affects SnakeYAML.
CVE-2022-1552High7.52.0Does not affect Artifactory, since it only affects Postgres.
CVE-2022-27664High7.52.0Does not affect Artifactory, since it only affects Golang.
CVE-2022-41720High7.52.0Does not affect Artifactory, since it only affects Golang.
CVE-2022-28948High7.52.0Does not affect Artifactory, since it only affects Go-yaml.
CVE-2021-33194High7.52.0Does not affect Artifactory, since it only affects golang.org/x/net.

CVE-2022-39271

GHSA-c6hx-pjc3-7fqr

High7.52.0Does not affect Artifactory, since it only affects traefik.
CVE-2022-31159High7.52.0Does not affect Artifactory, since it only affects aws-java-sdk.
CVE-2022-40716 Medium7.52.0Does not affect Artifactory, since it only affects hashicorp.
CVE-2022-41915Medium7.52.0Does not affect Artifactory, since it only affects Netty.
CVE-2022-38749Medium7.52.0Does not affect Artifactory, since it only affects SnakeYAML and common.

CVE-2022-32190

Critical7.50.3

Does not affect Artifactory, since it only affects Go 

CVE-2022-37866

High7.50.3

Doesn't affect Artifactory, since it only affects org.apache.ivy:ivy.

CVE-2022-31197High7.50.3

Doesn't affect Artifactory, since it only affects org.postgresql:postgresql.

CVE-2016-5425

CVE-2016-6325

High7.50.3

Doesn't affect Artifactory, since it only affects tomcat-jdbc.

CVE-2022-42003

CVE-2022-42004

High7.49.3

Doesn't affect Artifactory, since it only affects java commons.

CVE-2022-25857

High7.49.3

Does not affect Artifactory, since it only affects Upgraded snakeyaml 

CVE-2022-40151

High7.49.3

Does not affect Artifactory, since it only affects woodstox-core 

CVE-2022-32149

High7.49.3

Does not affect Artifactory, since it only affects golang 

CVE-2022-27664

High7.49.3

Does not affect Artifactory, since it only affects Go 

GHSA-3mc7-4q67-w48m

GHSA-98wm-3w3q-mw94

GHSA-9w3m-gqgf-c4p9

GHSA-c4r9-r8fh-9vj2

GHSA-hhhw-99gj-p3c3

High7.49.3

Does not affect Artifactory, since it only affects snakeyaml 

CVE-2022-3171

High7.49.3

Does not affect Artifactory, since it only affects protobuf-java 

CVE-2022-42003

CVE-2022-42004

GHSA-jjjh-jjxp-wpff

GHSA-rgv9-q543-rqg4

High7.49.3

Does not affect Artifactory, since it only affects jackson-databind 

CVE-2022-29526

Medium7.49.3

Does not affect Artifactory, since it only affects  yq 

CVE-2022-3171

Medium7.49.3

Does not affect Artifactory, since it only affects  io.grpc::grpc-* 

CVE-2022-36033

Medium7.49.3

Does not affect Artifactory, since it only affects jsoup

CVE-2022-38752

Medium7.49.3

Does not affect Artifactory, since it only affects commons 

CVE-2022-1348

Medium7.49.3Does not affect Artifactory, since it only affects logrotate

CVE-2019-20444

CVE-2019-20445

CVE-2019-16869

Critical7.47.7

Does not affect Artifactory, since it only affects software.amazon.awssdk:licensemanager.


CVE-2021-26291

Critical7.47.7

Does not affect Artifactory, since it only affects org.apache.maven.maven-project.

CVE-2022-1962

CVE-2022-28131

CVE-2022-30633

CVE-2022-30635

Critical7.47.7

Does not affect Artifactory, since it only affects snakeyaml.

CVE-2021-44906

High7.47.7

Does not affect Artifactory, since it only affects grpc-tools.

CVE-2021-3807

High7.47.7

Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-25857

High7.47.7

Does not affect Artifactory, since it only affects snakeyaml.

CVE-2022-22970High7.46.3Does not affect Artifactory, since it only affects org.springframework:spring-beans.

CVE-2022-24823

Medium7.47.7

Does not affect Artifactory, since it only affects io.netty.

CVE-2020-7789 

Medium7.47.7

Does not affect Artifactory, since it only affects
grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-0235

Medium7.47.7

Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-30187

Medium7.47.7

Does not affect Artifactory, since it only affects azure-storage-blob andv azure-core-http-okhttp.

CVE-2020-7608

Medium7.47.7

Does not affect Artifactory, since it only affects grpc-tools and 
grpc_tools_node_protoc_ts.

CVE-2022-25878

Medium7.47.7

Does not affect Artifactory, since it only affects grpc-tools and 
grpc_tools_node_protoc_ts.

CVE-2022-27191

Medium7.47.7Does not affect Artifactory, since it only affects grpc-tools and 
grpc_tools_node_protoc_ts.golang.org/x/cryp.

CVE-2022-27191

Medium7.46.3

Does not affect Artifactory, since it only affects golang.org/x/crypto/ssh.

CVE-2022-31030Medium7.46.3Does not affect Artifactory, since it only affects containerd.

CVE-2022-22968

Medium7.46.3Does not affect Artifactory, since it only affects org.springframework:spring-context.
CVE-2022-31197Medium7.46.3Does not affect Artifactory, since it only affects org.postgresql:postgresql.

CVE-2021-37136

CVE-2021-37137

Critical7.46.3

Does not affect Artifactory, since it only affects io.netty:netty-codec:4.1.63.

CVE-2020-36518

High7.46.3

Does not affect Artifactory, since it only affects jackson-databind. 

CVE-2022-22963

Critical 7.46.3

Does not affect Artifactory, since it only affects spring-core 5.3.18.

CVE-2022-2048

High7.46.3

Does not affect Artifactory, since it only affects org.eclipse.jetty.

CVE-2022-31159

High7.46.3

Does not affect Artifactory, since it only affects aws-java-sdk.

CVE-2021-3807

High7.46.3

Does not affect Artifactory, since it only affects jest-junit and ansi-regex.

CVE-2020-28469

High7.46.3

Does not affect Artifactory, since it only affects glob-parent.

CVE-2021-20066

Medium7.46.3

Does not affect Artifactory, since it only affects jest.

CVE-2022-0235

Medium7.46.3

Does not affect Artifactory, since it only affects grpc-tools.

CVE-2020-7608


Medium7.46.3

Does not affect Artifactory, since it only affects yargs and yargs-parser.

CVE-2022-22950

Medium7.46.3

Does not affect Artifactory, since it only affects org.springframework:spring-expression.

CVE-2021-22096

CVE-2021-22060

Medium7.46.3

Does not affect Artifactory, since it only affects org.spring framework:spring-core.


CVE-2022-24823

Medium7.46.3

Does not affect Artifactory, since it only affectsio.netty:netty-common.

CVE-2018-25031

CVE-2021-46708

Medium7.46.3

Does not affect Artifactory, since it only affects com.github.tomakehurst:wiremock-jre8.


CVE-2021-43797

Medium7.46.3

Does not affect Artifactory, since it only affects io.netty:netty-codec-http.

CVE-2022-1962

CVE-2022-28131

CVE-2022-30633

CVE-2022-30635

Critical

7.46.3



Does not affect Artifactory, since it only affects github.com/golang/go.


CVE-2022-22971

Critical7.42.1Does not affect Artifactory, since it only affects spring-core.  

CVE-2020-36518

High7.42.1

Does not affect Artifactory, since it only affects fasterxml.jackson.version.

CVE-2020-36518

High7.41.4Does not affect Artifactory, since it only affects jackson-databind.
CVE-2022-24823Medium7.41.4

Does not affect Artifactory, since it only affects netty-common.

CVE-2021-3859

High7.41.4

Does not affect Artifactory, since it only affects Red Hat undertow-core.

CVE-2022-22963

Critical7.41.4Does not affect Artifactory, since it only affects spring-core.

CVE-2021-22119

High7.41.4

Does not affect Artifactory, since it only affects spring-security-oauth2.

CVE-2022-23632

Critical7.39.4

Does not affect Artifactory, since it only affects Traefik.

CVE-2022-29153

High7.39.4Does not affect Artifactory, since it only affects consul.

CVE-2022-24769

Medium7.39.4Does not affect Artifactory, since it only affects containerd.
CVE-2022-27191High7.39.4Does not affect Artifactory, since it only affects golang.org/x/crypto/ssh.

CVE-2022-23648

High7.39.4Does not affect Artifactory, since it only affects to containerd.

CVE-2022-0536

Medium7.39.4Does not affect Artifactory, since it only affects  nodejs clients's axios.

CVE-2021-43797

Medium7.37.13

Does not affect Artifactory, since it only affects  Netty.

CVE-2021-3807

High7.37.13

Does not affect Artifactory, since it only affects ansi-regex.

CVE-2022-23806Critical7.37.13

Does not affect Artifactory, since it only affects  Curve.IsOnCurve in crypto/elliptic in Go.

CVE-2021-41090 
Medium7.35.1Does not affect Artifactory, since it only affects docker and image-spec.

CVE-2021-22060

Medium7.34.4

Does not affect Artifactory, since it only affects org.springframework:spring-core:5.3.12. 

CVE-2021-42550 

Medium7.31.10

Does not affect Artifactory, since it only affects logback.xml.

CVE-2017-9506Medium7.31.10Does not affect Artifactory, since it only affects IconUriServlet of the Atlasssian OAuth Plugin.

CVE-2015-2575

Medium7.31.10Does not affect Artifactory, since it only affects mysql:mysql-connector-java:8.0.20.
CVE-2021-42340

High7.31.10Does not affect Artifactory, since it only affects the Apache Tomcat versions:  

9.0.48 and 8.5.73.

CVE-2020-13949High7.31.10Does not affect Artifactory, since it only affects the jaeger 1.6.0 which uses Thrift 0.14.1.

CVE-2021-35560
CVE-2021-35550 
CVE-2021-35556
CVE-2021-35561
CVE-2021-35564
CVE-2021-35565
CVE-2021-35567
CVE-2021-35578
CVE-2021-35586
CVE-2021-35588
CVE-2021-35603

High7.31.10

Does not affect Artifactory, since it only affects Java.

CVE-2021-36374Medium 7.31.10

Does not affect Artifactory, since it only affects the Apache ant-1.9.15.

CVE-2021-33037

Medium7.27.3Does not affect Artifactory, since it only affects the Apache Tomcat.

CVE-2021-22147

High7.27.3Does not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch.

CVE-2021-22148

High7.27.3Does not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch.

CVE-2021-22149

High7.27.3Does not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch.

CVE-2021-30129

High7.25.4Does not affect Artifactory, since it only affects the org.apache.sshd:sshd-core:2.6.0.
CVE-2017-18640High7.25.4Does not affect Artifactory, since it only affects the Snakeyaml 1.23 XML Entity Expansion.

CVE-2021-27568

Critical7.25.4Does not affect Artifactory, since it only affects the json-smart-1.3.1.
CVE-2021-27568Critical7.25.4Does not affect Artifactory, since it only affects the json-smart-1.3.1.

CVE-2021-26291

Normal7.24.1

Does not affect Artifactory, since it only affects the Maven version 3.8.1.

CVE-2021-13936

High7.24.1

Does not affect Artifactory, since it only affects the Apache Velocity engine.

CVE-2018-9116Critical 7.23.3Does not affect Artifactory, since it only affects wiremock.

CVE-2021-29505

Critical7.21.3

Does not affect Artifactory, since it only affects XStream.

CVE-2021-26291

High7.21.3

Does not affect Artifactory, since it only affects Apache Maven.

CVE-2021-21290

Medium7.21.3Does not affect Artifactory, since it only affects netty-codec-http:4.1.53.final.

CVE-2020-17521

Medium7.21.3Does not affect Artifactory, since it only affects org.codehaus.groovy:groovy-all.

CVE-2021-22112

High7.17.4Does not affect Artifactory, since it only affects Spring Security Web.
CVE-2019-17571
Medium7.15.3Does not affect Artifactory, since it only affects log4j-to-slf4j and log4j-api.

CVE-2016-10750

High7.11.1

Does not affect Artifactory, since it only affects hazelcast-3.6.1.jar 

CVE-2017-7657

Medium7.11.1

Does not affect Artifactory, since it only affectsOrg.eclipse.jetty:jetty-http

CVE-2017-1000487

High7.11.1

Does not affect Artifactory, since it only affects Plexus-utils.

CVE-2020-25649

High7.11.1

Does not affect Artifactory, since it only affects fasterxml.jackson.version.

CVE-2019-17359

High7.10.5
Does not affect Artifactory, since it only affects bcprov-jdk15.

CVE-2020-7226

High7.10.5Does not affect Artifactory, since it only affects at cryptacular-1.1.1.jar.
CVE-2020-7692Critical7.10.2Does not affect Artifactory, since it only affects google-oauth-client library.

CVE-2019-12402 

Medium7.10.1Does not affect Artifactory, since it only affects Commons-compress library.

CVE-2019-12402 

Medium7.10.1Does not affect Artifactory, since it only affects Commons-compress library.

CVE-2020-15586 
golang.org/issue/34902

High7.10.1Does not affect Artifactory, since it only affects Go 1.14.9. 

CVE-2019-20104

High7.10.1Does not affect Artifactory, since it only affects Crowd lib.

CVE-2017-7957

High7.10.1

Does not affect Artifactory, since it only affects XStream.

CVE-2016-3674

High7.10.1

Does not affect Artifactory, since it only affects XStream.

CVE-2013-7285

Critical7.10.1

Does not affect Artifactory, since it only affects XStream.

CVE-2020-8203

High7.9.0Does not affect Artifactory, since it only affects lodash.
CVE-2020-1745Critical7.9.0Does not affect Artifactory, since it only affects io.undertow:undertow-core / 2.0.15.Final.
CVE-2017-15095Critical7.8.1Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar
CVE-2017-17485Critical7.8.1Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar.
CVE-2017-7525Critical7.8.1Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar.
CVE-2020-13935High7.7.0Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-13934

High7.7.0Does not affect Artifactory, since it only affects Apache Tomcat.
CVE-2020-11996High7.7.0Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-28500

CVE-2020-8203

CVE-2021-23337

Critical6.23.25Does not affect Artifactory, since it only affects npm lodash library 
 CVE-2022-30591 HighN/AJFrog Artifactory is not affected, since it does not use the quic-go through 0.27.0.
CVE-2022-42889CriticalN/A

JFrog Platform is not affected, since it does not use the impacted packages.

CVE-2016-1000027 CriticalN/ADoes not affect Artifactory, since it does not use the impacted HttpInvokerServiceExporter component for providing remote access.
CVE-2022-34305MediumN/ADoes not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2022-29885HighN/ADoes not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2018-10892HighN/ADoes not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.
CVE-2020-0187MediumN/ADoes not affect Artifactory, since it only affects the Android Platform.
CVE-2020-0187MediumN/ADoes not affect Artifactory, since it only affects the Android Platform.
N/AMediumN/ADoes not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.
N/AMediumN/ADoes not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender}}
CVE-2017-7536HighN/ADoes not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator.
CVE-2020-9484HighN/ADoes not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. 
CVE-2019-11888HighN/AThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-14809HighN/AThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-0232HighN/AThe enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014HighN/AThe JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275HighN/AThe JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability

CVE-2018-8589

MediumN/AJFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776HighN/ADoes not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925HighN/ADoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924HighN/ADoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382HighN/ADoes not affect Artifactory, since JFrog does not use BKS-V1 keystore.
CVE-2018-1260HighN/ADoes not affect Artifactory, since JFrog does not use Spring Security Oauth.
CVE-2018-1259HighN/ADoes not affect Artifactory, since JFrog does not use Spring Data Commons.
CVE-2017-5664HighN/A
Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648CriticalN/A
Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647HighN/ADoes not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638CriticalN/AArtifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097HighN/AFor LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
CVE-2008-4108HighN/ADoes not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541HighN/ADoes not affect Artifactory, since Artifactory uses Tar 1.30.1.

Insight

CVEs Impacting Insight

The following is a list of CVEs that were discovered to impact Insight and were fixed.

CVESeverity

Insight Fix Version

Fix Description
CVE-2022-31692Critical1.13.0

Upgraded spring-security-web to version 5.7.5.

Upgraded spring-bootcore to version 2.7.5.

CVE-2022-23181High1.7.0tomcat-embed-core, has been upgraded to version 9.0.58.
CVE-2021-22060Medium1.6.0Upgraded spring-web to version 5.3.14.
CVE-2021-42550Medium1.5.0Upgraded logback version to 1.2.9.
CVE-2021-22096Medium1.4.0Upgraded spring-web to version 5.3.12.

CVEs Not Impacting Insight

CVESeverityInsight Fix VersionReason
CVE-2022-42003HighN/A

Upgraded jackson-databind to version 2.13.4.1.

CVE-2022-3171HighN/A

Does not affect Insight, since it only affects protobuf-java.

CVE-2022-42252HighN/AUpgraded Tomcat to version 9.0.69.
CVE-2019-13990HighN/AUpgraded quartz-scheduler to version 2.3.2.
CVE-2022-25857High1.12.1SnakeYAML has been upgraded from version 1.30 to version 1.31.
CVE-2022-31197High1.12.0PostgreSQL JDBC Driver (pgjdbc) has been upgraded from version 42.3.3 to version 42.4.1
CVE-2022-23708Medium1.11.3Elasticsearch has been upgraded from version 7.16.3 to version 7.17.1.
CVE-2021-31684High1.5.0Upgraded json-smart to version 1.3.3.
CVE-2021-21290Medium1.4.0Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final.
CVE-2022-22970Medium1.11.3spring-bootcore, has been upgraded from version 2.6.7 to version 2.7.0.
CVE-2022-22968High1.10.2spring-bootcore, has been upgraded from version 2.6.6 to version 2.6.7.
CVE-2020-36518High1.10.1jackson-databind, has been upgraded to version 2.13.2.1.
CVE-2022-22965Critical1.8.1sprint-bootcore, has been upgraded from version 2.6.2 to version 2.6.6.
CVE-2022-21724Critical1.6.2pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-22569High1.6.2The protobuf-java component has been upgraded to version 3.19.2.
CVE-2020-25649HighN/ASearchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability.

Distribution

CVEs Not Impacting Distribution

The following is a list of CVEs that do not impact Distribution.

CVESeverityDistribution Fix VersionReason
CVE-2022-45143HighN/A

Distribution does not use the vulnerable API.

CVE-2022-41946 

MediumN/AUpdating the drivers to 42.5.1 fixed the vulnerability.
CVE-2022-42889CriticalN/A

Upgraded to a fixed version, although Distribution does not use the vulnerable API.

CVE-2022-31692CriticalN/A

Upgraded to a fixed version.

CVE-2022-3171HighN/A

Upgraded to a fixed version.

CVE-2022-42004HighN/A

Upgraded to a fixed version.

CVE-2022-38750MediumN/A

Upgraded to a fixed version.

CVE-2022-38749MediumN/A

Upgraded to a fixed version.

CVE-2022-1471CriticalN/A

Does not affect Distribution since Distribution does not use the potentially-harmful constructor.

CVE-2022-42252HighN/ADoes not affect Distribution since the product uses Tomcat version 9.0.58 and doesn’t redefine rejectIllegalHeader, so its effective value is “true“ (default).
CVE-2016-1000027CriticalN/ADoes not affect Distribution since Distribution is not using the vulnerable API.
CVE-2022-22978HighN/AUpgraded spring-security-web to version 5.7.0.
CVE-2022-22968MediumN/AUpgraded spring-context to version 5.3.21.
CVE-2022-22970MediumN/AUpgraded spring-beans to version 5.3.21.
CVE-2021-21309CriticalN/A

Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.

CVE-2022-24785High2.12.3Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2022-21724Medium2.12.0pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-42550 Medium2.11.0Upgraded the logback.xml to version 1.2.9.
CVE-2022-24823MediumN/ADoes not affect Distribution, since the vulnerability only impacts applications running on Java version 6 and lower.

Mission Control

CVEs Not Impacting Mission Control

CVESeverityMission Control Fix VersionReason
CVE-2021-37136High4.7.15Upgraded netty-codec to 4.1.68.Final.
CVE-2021-22149High4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-22148High4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-22147Medium4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-31684High4.7.13Upgraded Apache HttpClient to version 4.5.13.
CVE-2021-22112High4.7.13Upgraded spring-security-web to version 5.4.4.
CVE-2020-13956Medium4.7.13Upgraded json-smart to version 2.4.7.
CVE-2021-35517High4.7.11Upgraded common-compress to version 1.2.1.
CVE-2021-27568Critical 4.7.11Upgraded json-smart to version 2.4.7.
CVE-2020-28052High4.7.11Upgraded bc-java to version 1.6.7.
CVE-2020-8908 LowN/ADoes not affect Mission Control, since JFrog does not use the com.google.common.io.Files.createTempDir() function.

Vulnerabilities Without a CVE Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed. 

Fix DescriptionSeverityMission Control Fix Version
Updated netty-codec to version 4.1.66.Final.Critical4.7.11

Vulnerabilities Without a CVE Not Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE and that do not impact Mission Control.

Fix DescriptionSeverityMission Control Fix Version

Flyway insecure logging local password disclosure (org.flywaydb:flyway-core / 4.2.0)

High"Not Affected" 3rd party package: The default log level is set to WARN.

Pipelines

CVEs Impacting Pipelines

CVESeverityPipelines Fix VersionReason
CVE-2022-24921High1.27.0User can cause stack exhaustion using jfrog cli in a step, but this would merely lead to a step failing. 
CVE-2022-30634High1.27.0Jfrog cli prevents a max buffer from being passed by the user.
CVE-2022-0235Medium1.24.0Removed node-fetch dependency.

CVEs Not Impacting Pipelines

The following is a list of CVEs that do not impact Pipelines.

CVESeverityPipelines Fix VersionReason
CVE-2021-43138HighN/ADoes not affect Pipelines. Removed an unnecessary dependency from the Pipelines build agent.
CVE-2021-41248HighN/ADoes not affect Pipelines. Removed an unnecessary dependency from the Pipelines build agent.

CVE-2022-32212

High1.25.1Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical1.25.1Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical1.25.1Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical1.25.1Upgraded Node.js to version 16.16.0.
CVE-2022-32223High1.25.1Upgraded Node.js to version 16.16.0.
CVE-2021-23343High1.20.2

Does not affect Pipelines, since path-parse is not used by Pipelines.

CVE-2021-3918Critical1.20.2

Does not affect Pipelines. Though the vulnerable library json-schema is a sub-dependency of request@ 2.88.2, the vulnerable function validate is not called from request.

CVE-2021-23358High1.20.2

Does not affect Pipelines, since underscore@1.4.4 is a submodule of ssh-keygen and Pipelines is not calling the vulnerable template function.

CVE-2022-25648HighN/ADoes not impact Pipelines as core services control what commands are passed in to the git command.

Vulnerabilities Without a CVE Not Impacting Pipelines

The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines

DescriptionSeverityPipelines Fix VersionReason

Preventing remove-markdown RedDos

Medium1.23.2

RedDos vulnerable code will run with a timeout.

Prototype pollution flaw in clean-css 4.2.4

High1.20.2

Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function.

Prototype pollution flaw in node-forge 0.10.0 CriticalN/ADoes not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function.

Frontend

Vulnerabilities Without a CVE Not Impacting Frontend

The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend

DescriptionSeverityReason
Prototype pollution flaw in node-forge 0.10.0 CriticalDoes not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function.

Xray

CVEs Impacting Xray

The following is a list of CVEs that were discovered to impact Xray and were fixed.

CVESeverity

Xray Fix Version

Fix Description
CVE-2022-31030Medium3.60.2Upgraded github.com/containerd/containerd version to 1.5.13.
CVE-2022-28948High3.60.2Upgraded gopkg.in/yaml.v3:3.0.0-20200313102051 version to gopkg.in/yaml.v3:3.0.1.
CVE-2022-27664High

3.60.2

3.61.5

Upgraded golang.org/x/net v0.0.0-20220722155237 to golang.org/x/net version 0.1.0
Upgraded golang.org/x/sys v0.0.0-20220722155237 to golang.org/x/sys v0.1.0
Upgraded golang.org/x/net v0.3.7  to golang.org/x/text v0.4.0.
CVE-2022-32149High3.60.2Upgraded from 0.3.7 to 0.3.8.
CVE-2022-32189High3.59.4Upgraded Golang version to 1.18.5.
CVE-2021-38197Critical3.57.6Upgraded go-unarr library to version v0.1.4.
CVE-2022-29526Medium3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30634High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30632High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30630High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30631High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-24769Medium3.54.5Upgraded Containerd version to 1.5.11.
CVE-2022-29526Medium3.54.5Upgraded to Golang version to 1.17.11.
CVE-2022-23806Critical3.50.3Upgraded JFrog router version to 7.39.0.
CVE-2022-27191High3.49.0Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0.

CVE-2022-24675

High3.48.2Upgraded Golang version to 1.17.9.
CVE-2022-24921High3.48.2Upgraded Golang version to 1.17.9.

CVE-2021-43816

Critical3.42.3Upgraded Containerd version to 1.5.9.
CVE-2021-44717Medium3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-44716High 3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-41771High3.38.1Upgraded Golang version to 1.17.3.
CVE-2021-33196High3.34.1Upgraded Golang version to 1.15.13, 1.16.5.

Xray

CVEs Not Impacting Xray

The following is a list of CVEs that do not impact Xray.

CVESeverity

Xray Fix Version

Fix Description
CVE-2021-38197Critical3.57.6Upgraded go-unarr library to version v0.1.4.
  • No labels
Copyright © 2023 JFrog Ltd.