Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >





Working with an older version? JFrog Artifactory 6.x | JFrog Xray 2.x | JFrog Mission Control 3.x | JFrog Distribution 1.x |


Skip to end of metadata
Go to start of metadata

Artifactory

CVEs Impacting Artifactory

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVESeverity
Artifactory Fix Version
Fix Description

CVE-2022-22971

Critical7.42.1Upgraded spring-core  to version 5.3.20.

CVE-2020-36518

High7.42.1

Upgraded  fasterxml.jackson.version 2.13.0 to 2.13.3

CVE-2022-32212

Critical7.41.7 Upgraded Node.js to version 16.16.0
CVE-2022-32213,Critical7.41.7 Upgraded Node.js to version 16.16.0
CVE-2022-32214Critical7.41.7 Upgraded Node.js to version 16.16.0
CVE-2022-32215Critical7.41.7 Upgraded Node.js to version 16.16.0
CVE-2022-32223Critical7.41.7 Upgraded Node.js to version 16.16.0

CVE-2021-22573

High7.41.4

Upgraded the google-oauth-client to version 1.33.3

CVE-2020-36518

High7.41.4Upgraded jackson-databind to version 2.13.2.1
CVE-2022-24823Medium7.41.4

Upgraded to netty-common version 4.1.77.final

CVE-2021-3859

High7.41.4

Upgraded Red Hat undertow-core to version 2.2.15

CVE-2022-22963

Critical7.41.4Upgraded spring-core version to 5.3.19

CVE-2021-22119

High7.41.4

Upgraded spring-security-oauth2 to version 2.5.2

 CVE-2022-32212

Critical7.39.10 Upgraded Node.js to version 16.16.0
CVE-2022-32213Critical7.39.10 Upgraded Node.js to version 16.16.0
CVE-2022-32214Critical7.39.10 Upgraded Node.js to version 16.16.0
CVE-2022-32215Critical7.39.10 Upgraded Node.js to version 16.16.0
CVE-2022-32223Critical7.39.10 Upgraded Node.js to version 16.16.0

CVE-2022-23632

Critical7.39.4

Upgraded Traefik v.2.5.6 to version 2.6.3.

CVE-2022-29153

High7.39.4Upgraded consul version from version 1.11.13 to v1.11.15

CVE-2022-24769

Medium7.39.4Upgraded to containerd to version 1.6.2
CVE-2022-27191High7.39.4Upgraded golang.org/x/crypto/ssh to version v0.0.0-20220411220226-7b82a4e95df4

CVE-2022-23648

High7.39.4Upgraded to containerd  versions 1.6.1, 1.5.10, and 1.4.12

CVE-2022-0536

Medium7.39.4Upgrade nodejs clients's axios to version 0.26.0.

CVE-2022-32212

Critical7.38.16 Upgraded Node.js to version 16.16.0
CVE-2022-32213,Critical7.38.16 Upgraded Node.js to version 16.16.0
CVE-2022-32214Critical7.38.16 Upgraded Node.js to version 16.16.0
CVE-2022-32215Critical7.38.16 Upgraded Node.js to version 16.16.0
CVE-2022-32223Critical7.38.16 Upgraded Node.js to version 16.16.0

CVE-2022-32212

Critical7.37.17 Upgraded Node.js to version 16.16.0
CVE-2022-32213,Critical7.37.17Upgraded Node.js to version 16.16.0
CVE-2022-32214Critical7.37.17 Upgraded Node.js to version 16.16.0
CVE-2022-32215Critical7.37.17 Upgraded Node.js to version 16.16.0
CVE-2022-32223Critical7.37.17 Upgraded Node.js to version 16.16.0

CVE-2021-43797

Medium7.37.13

Upgraded Netty version 4.1.68 to version 4.1.71.

CVE-2021-3807

High7.37.13

Upgraded ansi-regex version 4.1.0 and 3.0.0 to version 5.0.1 or 6.0.1.

CVE-2022-23806Critical7.37.13

Upgraded Curve.IsOnCurve in crypto/elliptic in Go prior to version 1.16.14 and 1.17.x prior 1.17.7 to version 1.17.7.

CVE-2021-38561High7.37.13

Upgraded internal/language/parse.go version 0.3.6 to version 0.3.7.

CVE-2021-41091

Medium7.35.1Upgraded to docker v20.10.9
Upgraded image-spec v.1.0.2
CVE-2021-41090 
Medium7.35.1Upgraded to docker v20.10.9
Upgraded image-spec v.1.0.2

CVE-2021-22060

Medium7.34.4

Upgraded org.springframework:spring-core:5.3.12 to version 5.3.14.

CVE-2021-42550 

Medium7.31.10

Upgraded the logback.xml to version 1.2.9.

CVE-2017-9506Medium7.31.10Upgraded the IconUriServlet of the Atlasssian OAuth Plugin to 2.0.4.

CVE-2015-2575

Medium7.31.10Upgraded mysql:mysql-connector-java:8.0.20 to 8.0.27.
CVE-2021-42340

High7.31.10Upgraded the Apache Tomcat version to:
  • 9.0.48 -> 9.0.55
  • 8.5.66 -> 8.5.73

CVE-2021-3765

High7.31.10

Upgraded the validator version to 13.6.0.

CVE-2020-13949High7.31.10Upgraded to jaeger 1.6.0 which uses Thrift 0.14.1

CVE-2021-35560
CVE-2021-35550 
CVE-2021-35556
CVE-2021-35561
CVE-2021-35564
CVE-2021-35565
CVE-2021-35567
CVE-2021-35578
CVE-2021-35586
CVE-2021-35588
CVE-2021-35603

High7.31.10

Upgraded to Java version 1.11.0_13.

CVE-2021-36374Medium 7.31.10

Upgraded Apache ant-1.9.15 to version ant-1.10.1.

CVE-2021-33037

Medium7.27.3Upgraded to Apache Tomcat version 8.5.68 or later.

CVE-2021-22147

High7.27.3Upgraded org.elasticsearch:elasticsearch to version 7.14.0.

CVE-2021-22148

High7.27.3Upgraded org.elasticsearch:elasticsearch to version 7.14.0.

CVE-2021-22149

High7.27.3Upgraded org.elasticsearch:elasticsearch to version 7.14.0.

CVE-2021-30129

High7.25.4 (Cloud)Upgraded org.apache.sshd:sshd-core:2.6.0 to version v2.7.
CVE-2017-18640High7.25.4 (Cloud)Upgraded the Snakeyaml 1.23 XML Entity Expansion to version 1.26.

CVE-2021-27568

Critical7.25.4 (Cloud)Upgraded json-smart-1.3.1 to version 2.4.7.

CVE-2020-29582

Medium7.25.4
(Cloud)		Updated to the latest release of Koplin from version 1.3.50 to 1.5.20.
CVE-2021-27568Critical

7.25.4

(Cloud)

Updated json-smart-1.3.1 to version 1. 2.4.7.

CVE-2021-26291

Normal7.24.1

Upgraded to Maven version 3.8.1.

CVE-2021-13936

High7.24.1

Upgraded the Apache Velocity engine versions to 2.2

CVE-2019-20104

High7.24.1

Upgraded Crowd version to 3.7.2.

CVE-2018-9116Critical 7.23.3Upgraded to wiremock version to 2.28.0.

CVE-2021-29505

Critical7.21.3

Upgraded XStream to version 1.4.17.

CVE-2021-26291

High7.21.3

Upgraded Apache Maven to version 3.8.1.

CVE-2021-21290

Medium7.21.3Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final.

CVE-2020-17521

Medium7.21.3Upgraded org.codehaus.groovy:groovy-all from 2.4.16 to 2.5.14

CVE-2020-14340

Medium7.21.3Upgraded org.jboss.xnio:xnio-nio to version 3.8.4.Final.

CVE-2021-22112

High7.17.4Upgraded to Spring Security Web version 5.4.5.

CVE-2021-25122

High7.17.4

Upgraded to Apache Tomcat version 8.5.63.

CVE-2019-10219

Medium7.15.3

Upgraded org.hibernate:hibernate-validator to version 6.0.18.

CVE-2019-17571
Medium7.15.3Upgraded log4j-to-slf4j and log4j-api upgraded to version 2.14.0. 

CVE-2016-10750

High7.11.1

Removed hazelcast-3.6.1.jar from Artifactory. 

CVE-2017-7657

Medium7.11.1,

Upgraded Org.eclipse.jetty:jetty-http to version 9.4.11.v20180605. 

CVE-2017-1000487

High7.11.1

Upgraded Plexus-utils to version 3.3.0.

CVE-2020-25649

High7.11.1

Upgraded fasterxml.jackson.version to version 2.11.3.

CVE-2019-17359

High7.10.5
Upgraded bcprov-jdk15on to version 1.64.

CVE-2020-7226

High7.10.5Upgraded artifactory.war at cryptacular-1.1.1.jar to version 1.1.4.
CVE-2020-7692Critical7.10.2Upgraded google-oauth-client library from version 1.27 to 1.31.

CVE-2019-12402 

Medium7.10.1Upgraded Commons-compress lib was upgraded to 1.20. 

CVE-2019-12402 

Medium7.10.1Upgraded to Commons-compress lib was upgraded to 1.20.

CVE-2020-15586 
golang.org/issue/34902

High7.10.1Upgraded to the latest version of Go 1.14.9. 

CVE-2019-20104

High7.10.1Upgraded to Crowd lib was upgraded to 3.7.2. 

CVE-2017-7957

High7.10.1

Upgraded to XStream-1.4.11.1

CVE-2016-3674

High7.10.1

Upgraded to XStream-1.4.11.1. 

CVE-2013-7285

Critical7.10.1

Upgraded to XStream-1.4.11.1.

CVE-2020-8203

High7.9.0Upgraded lodash version to 4.17.20
CVE-2020-1745Critical7.9.0io.undertow:undertow-core / 2.0.15.Final was upgraded to 2.0.30.final
CVE-2017-15095Critical7.8.1fge:jackson-coreutils:jar was upgraded to version 2.0
CVE-2017-17485Critical7.8.1fge:jackson-coreutils:jar was upgraded to version 2.0
CVE-2017-7525Critical7.8.1fge:jackson-coreutils:jar was upgraded to version 2.0
CVE-2020-13935High7.7.0Apache Tomcat was upgraded to version 8.5.57

CVE-2020-13934

High7.7.0Apache Tomcat was upgraded to version 8.5.57
CVE-2020-11996High7.7.0Apache Tomcat was upgraded to version 8.5.57

CVE-2020-28500

CVE-2020-8203

CVE-2021-23337

Critical6.23.25The npm lodash library was upgraded to version 4.17.21
CVE-2017-18214High6.23.25npm moment.js library was upgraded to version 2.19.3
CVE-2017-18640High6.23.0Upgraded snakeyaml-1.23.jar from version 1.26 to 1.27. 
CVE-2020-7692Critical6.23.0Upgraded google-oauth-client library from version 1.27 to 1.31.

CVE-2019-12402 

Medium6.23.0Upgraded Commons-compress lib was upgraded to version 1.20. 
CVE-2020-15586 and Go issue golang.org/issue/34902High6.23.0Upgraded to the latest version of Go 1.14.9. 
CVE-2019-20104High6.23.0Upgraded to Crowd lib was upgraded to 3.7.2 version. 
CVE-2018-1000206High6.1Artifactory now validates the actual value of the X-Request-With header instead of checking the existence of it
CVE-2017-7525Critical6.1FasterXML jackson-databind was upgraded to version 2.93 and 2.8.10 and includes a fix to prevent unauthenticated remote code execution.
CVE-2016-8745High5.2.0Apache Tomcat was upgraded to version 8.0.41 that includes a fix for NIO HTTP connector vulnerability
CVE-2016-8735Critical5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-3092High5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-6501Critical4.11.0Added the "Secure LDAP Search" in the Artifactory LDAP settings to protect against LDAP poisoning by filtering out users exposed to vulnerability
CVE-2014-3623High4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2015-0227Medium4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2014-0114High4.10.0

Upgraded commons-beanutils to version 1.9.2

CVE-2015-7940Medium4.8.1

Upgraded the relevant libraries that included the Bouncy Castle Java library as a dependency

CVE-2013-4517Medium4.8.0Upgraded the relevant libraries that included the Apache XML Security For Java library as a dependency
CVE-2015-4852High4.5.2Upgraded the commons-collection library to version 3.2.2
CVE-2015-3253Critical4.2.1Upgraded the Groovy-all library to version 2.4.4
CVE-2014-0107High4.2.1Upgraded the Xalan library to version 2.7.2
CVE-2014-3577Medium3.3.1Upgraded the HttpClient library to version 4.3.5
Page Contents

Vulnerabilities Without a CVE Impacting Artifactory

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed. 

DescriptionSeverityArtifactory Fix Version
Updated jackson-dataformats-binary to version 2.12.3.High7.21.3
Excluded the Plexus-cipher library.Medium7.21.3
Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3.High7.21.3
Upgraded to wiremock-jre8 version 2.28.0.High

7.21.3

Upgraded maven-shared-utils:3.2.1 to version 334.Critical7.21.3
Under certain circumstances, authenticated users were able to:
  • Retrieve environment information from Artifactory that normally required administrative rights.
  • Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.
Critical

6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2

Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.Critical6.8.14, 6.9.3, 6.10.4
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.Critical

  • 5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5

  • 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9

A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.High6.5.13

CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVESeverityReason
CVE-2016-1000027 CriticalDoes not affect Artifactory, since it does not use the impacted HttpInvokerServiceExporter component for providing remote access.
CVE-2022-34305MediumDoes not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2022-29885HighDoes not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2018-10892HighDoes not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.
CVE-2020-0187MediumDoes not affect Artifactory, since it only affects the Android Platform.
CVE-2020-0187MediumDoes not affect Artifactory, since it only affects the Android Platform.
N/AMediumDoes not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.
N/AMediumDoes not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender }}
CVE-2017-7536HighDoes not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator.
CVE-2020-9484HighDoes not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. 
CVE-2019-11888HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-14809HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-0232HighThe enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014HighThe JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275HighThe JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability

CVE-2018-8589

MediumJFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776HighDoes not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382HighDoes not affect Artifactory, since JFrog does not use BKS-V1 keystore.
CVE-2018-1260HighDoes not affect Artifactory, since JFrog does not use Spring Security Oauth.
CVE-2018-1259HighDoes not affect Artifactory, since JFrog does not use Spring Data Commons.
CVE-2017-5664High
Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648Critical
Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647HighDoes not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638CriticalArtifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097HighFor LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
CVE-2008-4108HighDoes not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541HighDoes not affect Artifactory, since Artifactory uses Tar 1.30.1.

Insight

CVEs Impacting Insight

The following is a list of CVEs that were discovered to impact Insight and were fixed.

CVESeverity

Insight Fix Version

Fix Description
CVE-2022-31197High1.12.0PostgreSQL JDBC Driver (pgjdbc) has been upgraded from version 42.3.3 to version 42.4.1
CVE-2022-23708Medium1.11.3Elasticsearch has been upgraded from version 7.16.3 to version 7.17.1.
CVE-2022-22970Medium1.11.3spring-bootcore, has been upgraded from version 2.6.7 to version 2.7.0.
CVE-2022-22968High1.10.2spring-bootcore, has been upgraded from version 2.6.6 to version 2.6.7.
CVE-2020-36518High1.10.1jackson-databind, has been upgraded to version 2.13.2.1.
CVE-2022-22965Critical1.8.1sprint-bootcore, has been upgraded from version 2.6.2 to version 2.6.6.
CVE-2022-23181High1.7.0tomcat-embed-core, has been upgraded to version 9.0.58.
CVE-2022-21724Critical1.6.2pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-22569High1.6.2The protobuf-java component has been upgraded to version 3.19.2.
CVE-2021-22060Medium1.6.0Upgraded spring-web to version 5.3.14.
CVE-2021-42550Medium1.5.0Upgraded logback version to 1.2.9.
CVE-2021-31684High1.5.0Upgraded json-smart to version 1.3.3.
CVE-2021-21290Medium1.4.0Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final.
CVE-2021-22096Medium1.4.0Upgraded spring-web to version 5.3.12.

CVEs Not Impacting Insight

CVESeverityReason
CVE-2020-25649HighSearchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability.

Distribution

CVEs Impacting Distribution

The following is a list of CVEs that were discovered to impact Distribution and were fixed.

CVESeverity

Distribution Fix Version

Fix Description
CVE-2022-24785High2.12.3Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2022-21724Medium2.12.0pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-42550 Medium2.11.0Upgraded the logback.xml to version 1.2.9.

CVEs Not Impacting Distribution

The following is a list of CVEs that do not impact Distribution.

CVESeverityReason
CVE-2022-22978HighUpgraded spring-security-web to version 5.7.0.
CVE-2022-22968MediumUpgraded spring-context to version 5.3.21.
CVE-2022-22970MediumUpgraded spring-beans to version 5.3.21.
CVE-2021-21309Critical

Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.

Mission Control

CVEs Impacting Mission Control

The following is a list of CVEs that were discovered to impact Mission Control and were fixed.

CVESeverity

Mission Control Fix Version

Fix Description
CVE-2021-37136High4.7.15Upgraded netty-codec to 4.1.68.Final.
CVE-2021-22149High4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-22148High4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-22147Medium4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-31684High4.7.13Upgraded Apache HttpClient to version 4.5.13.
CVE-2021-22112High4.7.13Upgraded spring-security-web to version 5.4.4.
CVE-2020-13956Medium4.7.13Upgraded json-smart to version 2.4.7.
CVE-2021-35517High4.7.11Upgraded common-compress to version 1.2.1.
CVE-2021-27568Critical 4.7.11Upgraded json-smart to version 2.4.7.
CVE-2020-28052High4.7.11Upgraded bc-java to version 1.6.7.

CVEs Not Impacting Mission Control

CVESeverityReason
CVE-2020-8908                                                                  LowDoes not affect Artifactory, since JFrog does not use the com.google.common.io.Files.createTempDir() function.

Vulnerabilities Without a CVE Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed. 

Fix DescriptionSeverityMission Control Fix Version
Updated netty-codec to version 4.1.66.Final.Critical4.7.11

Vulnerabilities Without a CVE Not Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE and that do not impact Mission Control.

Fix DescriptionSeverityMission Control Fix Version

Flyway insecure logging local password disclosure (org.flywaydb:flyway-core / 4.2.0)

High"Not Affected" 3rd party package: The default log level is set to WARN.

Pipelines

CVEs Not Impacting Pipelines

The following is a list of CVEs that do not impact Pipelines.

CVESeverityPipelines Fix VersionReason

CVE-2022-32212

High1.25.1Upgraded Node.js to version 16.16.0
CVE-2022-32213Critical1.25.1Upgraded Node.js to version 16.16.0
CVE-2022-32214Critical1.25.1  Upgraded Node.js to version 16.16.0
CVE-2022-32215Critical1.25.1  Upgraded Node.js to version 16.16.0
CVE-2022-32223High1.25.1  Upgraded Node.js to version 16.16.0
CVE-2022-0235Medium1.24.0Removed node-fetch dependency.
CVE-2021-23343High1.20.2

Does not affect Pipelines, since path-parse is not used by Pipelines.

CVE-2021-3918Critical1.20.2

Does not affect Pipelines. Though the vulnerable library json-schema is a sub-dependency of request@ 2.88.2, the vulnerable function validate is not called from request.

CVE-2021-23358High1.20.2

Does not affect Pipelines, since underscore@1.4.4 is a submodule of ssh-keygen and Pipelines is not calling the vulnerable template function.

CVE-2022-25648HighN/ADoes not impact Pipelines as core services control what commands are passed in to the git command 
CVE-2022-24921High1.27.0User can cause stack exhaustion using jfrog cli in a step, but this would merely lead to a step failing. 
CVE-2022-30634High1.27.0Jfrog cli prevents a max buffer from being passed by the user

Vulnerabilities Without a CVE Not Impacting Pipelines

The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines

DescriptionSeverityPipelines Fix VersionReason

Preventing remove-markdown RedDos

Medium1.23.2

RedDos vulnerable code will run with a timeout

Prototype pollution flaw in clean-css 4.2.4

High1.20.2

Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function

Prototype pollution flaw in node-forge 0.10.0 Critical
Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function.

Frontend

Vulnerabilities Without a CVE Not Impacting Frontend

The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend

DescriptionSeverityReason
Prototype pollution flaw in node-forge 0.10.0 CriticalDoes not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function.

Xray

CVEs Impacting Xray

The following is a list of CVEs that were discovered to impact Xray and were fixed.

CVESeverity

Xray Fix Version

Fix Description
CVE-2022-29526Medium3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30634High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30632High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30630High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30631High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-24769Medium3.54.5Upgraded Containerd version to 1.5.11.
CVE-2022-29526Medium3.54.5Upgraded to Golang version to 1.17.11.
CVE-2022-23806Critical3.50.3Upgraded JFrog router version to 7.39.0.
CVE-2022-27191High3.49.0Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0.

CVE-2022-24675

High3.48.2Upgraded Golang version to 1.17.9.
CVE-2022-24921High3.48.2Upgraded Golang version to 1.17.9.

CVE-2021-43816

Critical3.42.3Upgraded Containerd version to 1.5.9.
CVE-2021-44717Medium3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-44716High 3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-41771High3.38.1Upgraded Golang version to 1.17.3.
CVE-2021-33196High3.34.1Upgraded Golang version to 1.15.13, 1.16.5.

CVEs Not Impacting Xray

The following is a list of CVEs that were discovered to not impact Xray.

CVE

Severity

Xray Fix Version

Fix Description

CVE-2021-38197Critical3.57.6Upgraded go-unarr library to version v0.1.4.
  • No labels
Copyright © 2022 JFrog Ltd.