Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Artifactory

CVEs Impacting Artifactory

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVESeverity
Artifactory Fix Version
Fix Description

CVE-2021-43797

Medium7.37.13

Upgraded Netty version 4.1.68 to version 4.1.71.

CVE-2021-3807

High7.37.13

Upgraded ansi-regex version 4.1.0 and 3.0.0 to version 5.0.1 or 6.0.1.

CVE-2022-23806Critical7.37.13

Upgraded Curve.IsOnCurve in crypto/elliptic in Go prior to version 1.16.14 and 1.17.x prior 1.17.7 to version 1.17.7.

CVE-2021-38561High7.37.13

Upgraded internal/language/parse.go version 0.3.6 to version 0.3.7.

CVE-2021-41091

Medium7.35.1Upgraded to docker v20.10.9
Upgraded image-spec v.1.0.2
CVE-2021-41090 
Medium7.35.1Upgraded to docker v20.10.9
Upgraded image-spec v.1.0.2

CVE-2021-22060

Medium7.34.4

Upgraded org.springframework:spring-core:5.3.12 to version 5.3.14.

CVE-2021-42550 

Medium7.31.10

Upgraded the logback.xml to version 1.2.9.

CVE-2017-9506Medium7.31.10Upgraded the IconUriServlet of the Atlasssian OAuth Plugin to 2.0.4.

CVE-2015-2575

Medium7.31.10Upgraded mysql:mysql-connector-java:8.0.20 to 8.0.27.
CVE-2021-42340

High7.31.10Upgraded the Apache Tomcat version to:
  • 9.0.48 -> 9.0.55
  • 8.5.66 -> 8.5.73

CVE-2021-3765

High7.31.10

Upgraded the validator version to 13.6.0.

CVE-2020-13949High7.31.10Upgraded to jaeger 1.6.0 which uses Thrift 0.14.1

CVE-2021-35560
CVE-2021-35550 
CVE-2021-35556
CVE-2021-35561
CVE-2021-35564
CVE-2021-35565
CVE-2021-35567
CVE-2021-35578
CVE-2021-35586
CVE-2021-35588
CVE-2021-35603

High7.31.10

Upgraded to Java version 1.11.0_13.

CVE-2021-36374Medium 7.31.10

Upgraded Apache ant-1.9.15 to version ant-1.10.1.

CVE-2021-33037

Medium7.27.3Upgraded to Apache Tomcat version 8.5.68 or later.

CVE-2021-22147

High7.27.3Upgraded org.elasticsearch:elasticsearch to version 7.14.0.

CVE-2021-22148

High7.27.3Upgraded org.elasticsearch:elasticsearch to version 7.14.0.

CVE-2021-22149

High7.27.3Upgraded org.elasticsearch:elasticsearch to version 7.14.0.

CVE-2021-30129

High7.25.4 (Cloud)Upgraded org.apache.sshd:sshd-core:2.6.0 to version v2.7.
CVE-2017-18640High7.25.4 (Cloud)Upgraded the Snakeyaml 1.23 XML Entity Expansion to version 1.26.

CVE-2021-27568

Critical7.25.4 (Cloud)Upgraded json-smart-1.3.1 to version 2.4.7.

CVE-2020-29582

Medium7.25.4
(Cloud)
Updated to the latest release of Koplin from version 1.3.50 to 1.5.20.
CVE-2017-18640High7.25.4
(Cloud)

Updated Snakeyaml version 1.23 XML Entity Expansion to version 1.29.

CVE-2021-27568Critical

7.25.4

(Cloud)

Updated json-smart-1.3.1 to version 1. 2.4.7.

CVE-2021-26291

Normal7.24.1

Upgraded to Maven version 3.8.1.

CVE-2021-13936

High7.24.1

Upgraded the Apache Velocity engine versions to 2.2

CVE-2019-20104

High7.24.1

Upgraded Crowd version to 3.7.2.

CVE-2018-9116Critical 7.23.3Upgraded to wiremock version to 2.28.0.
Critical7.21.3

Upgraded XStream to version 1.4.17.

CVE-2021-26291

High7.21.3

Upgraded Apache Maven to version 3.8.1.

CVE-2021-21290

Medium7.21.3Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final.

CVE-2020-17521

Medium7.21.3Upgraded org.codehaus.groovy:groovy-all from 2.4.16 to 2.5.14

CVE-2020-14340

Medium7.21.3Upgraded org.jboss.xnio:xnio-nio to version 3.8.4.Final.
High7.17.4Upgraded to Spring Security Web version 5.4.5.
High7.17.4

Upgraded to Apache Tomcat version 8.5.63.

Medium7.15.3

Upgraded org.hibernate:hibernate-validator to version 6.0.18.

CVE-2019-17571
Medium7.15.3Upgraded log4j-to-slf4j and log4j-api upgraded to version 2.14.0. 
High7.11.1

Removed hazelcast-3.6.1.jar from Artifactory. 

Medium7.11.1,

Upgraded Org.eclipse.jetty:jetty-http to version 9.4.11.v20180605. 

High7.11.1

Upgraded Plexus-utils to version 3.3.0.

High7.11.1

Upgraded fasterxml.jackson.version to version 2.11.3.

High7.10.5
Upgraded bcprov-jdk15on to version 1.64.
High7.10.5Upgraded artifactory.war at cryptacular-1.1.1.jar to version 1.1.4.
CVE-2020-7692Critical7.10.2Upgraded google-oauth-client library from version 1.27 to 1.31.
Medium7.10.1Upgraded Commons-compress lib was upgraded to 1.20. 
Medium7.10.1Upgraded to Commons-compress lib was upgraded to 1.20.
High7.10.1Upgraded to the latest version of Go 1.14.9. 
High7.10.1Upgraded to Crowd lib was upgraded to 3.7.2. 
High7.10.1

Upgraded to XStream-1.4.11.1

High7.10.1

Upgraded to XStream-1.4.11.1. 

Critical7.10.1

Upgraded to XStream-1.4.11.1.

CVE-2020-8203

High7.9.0Upgraded lodash version to 4.17.20
CVE-2020-1745Critical7.9.0io.undertow:undertow-core / 2.0.15.Final was upgraded to 2.0.30.final
CVE-2017-15095Critical7.8.1fge:jackson-coreutils:jar was upgraded to version 2.0
CVE-2017-17485Critical7.8.1fge:jackson-coreutils:jar was upgraded to version 2.0
CVE-2017-7525Critical7.8.1fge:jackson-coreutils:jar was upgraded to version 2.0
CVE-2020-13935High7.7.0Apache Tomcat was upgraded to version 8.5.57

CVE-2020-13934

High7.7.0Apache Tomcat was upgraded to version 8.5.57
CVE-2020-11996High7.7.0Apache Tomcat was upgraded to version 8.5.57

CVE-2020-28500

CVE-2020-8203

CVE-2021-23337

Critical6.23.25The npm lodash library was upgraded to version 4.17.21
CVE-2017-18214High6.23.25npm moment.js library was upgraded to version 2.19.3
CVE-2017-18640High6.23.0Upgraded snakeyaml-1.23.jar from version 1.26 to 1.27. 
CVE-2020-7692Critical6.23.0Upgraded google-oauth-client library from version 1.27 to 1.31.

CVE-2019-12402 

Medium6.23.0Upgraded Commons-compress lib was upgraded to version 1.20. 
CVE-2020-15586 and Go issue golang.org/issue/34902High6.23.0Upgraded to the latest version of Go 1.14.9. 
CVE-2019-20104High6.23.0Upgraded to Crowd lib was upgraded to 3.7.2 version. 
CVE-2018-1000206High6.1Artifactory now validates the actual value of the X-Request-With header instead of checking the existence of it
CVE-2017-7525Critical6.1FasterXML jackson-databind was upgraded to version 2.93 and 2.8.10 and includes a fix to prevent unauthenticated remote code execution.
CVE-2016-8745High5.2.0Apache Tomcat was upgraded to version 8.0.41 that includes a fix for NIO HTTP connector vulnerability
CVE-2016-8735Critical5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-3092High5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-6501Critical4.11.0Added the "Secure LDAP Search" in the Artifactory LDAP settings to protect against LDAP poisoning by filtering out users exposed to vulnerability
CVE-2014-3623High4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2015-0227Medium4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2014-0114High4.10.0

Upgraded commons-beanutils to version 1.9.2

CVE-2015-7940Medium4.8.1

Upgraded the relevant libraries that included the Bouncy Castle Java library as a dependency

CVE-2013-4517Medium4.8.0Upgraded the relevant libraries that included the Apache XML Security For Java library as a dependency
CVE-2015-4852High4.5.2Upgraded the commons-collection library to version 3.2.2
CVE-2015-3253Critical4.2.1Upgraded the Groovy-all library to version 2.4.4
CVE-2014-0107High4.2.1Upgraded the Xalan library to version 2.7.2
CVE-2014-3577Medium3.3.1Upgraded the HttpClient library to version 4.3.5
Page Contents


Vulnerabilities Without a CVE Impacting Artifactory

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed. 

DescriptionSeverityArtifactory Fix Version
Updated jackson-dataformats-binary to version 2.12.3.High7.21.3
Excluded the Plexus-cipher library.Medium7.21.3
Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3.High7.21.3
Upgraded to wiremock-jre8 version 2.28.0.High

7.21.3

Upgraded maven-shared-utils:3.2.1 to version 334.Critical7.21.3
Under certain circumstances, authenticated users were able to:
  • Retrieve environment information from Artifactory that normally required administrative rights.
  • Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.
Critical

6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2

Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.Critical6.8.14, 6.9.3, 6.10.4
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.Critical
  • 5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5

  • 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9

A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.High6.5.13



CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVESeverityReason
CVE-2018-10892HighDoes not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.
CVE-2020-0187MediumDoes not affect Artifactory, since it only affects the Android Platform.
CVE-2020-0187MediumDoes not affect Artifactory, since it only affects the Android Platform.
N/AMediumDoes not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.
N/AMediumDoes not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender }}
CVE-2017-7536HighDoes not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator.
CVE-2020-9484HighDoes not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. 
CVE-2019-11888HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-14809HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-0232HighThe enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014HighThe JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275HighThe JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability

CVE-2018-8589

MediumJFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776HighDoes not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382HighDoes not affect Artifactory, since JFrog does not use BKS-V1 keystore.
CVE-2018-1260HighDoes not affect Artifactory, since JFrog does not use Spring Security Oauth.
CVE-2018-1259HighDoes not affect Artifactory, since JFrog does not use Spring Data Commons.
CVE-2017-5664High
Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648Critical
Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647HighDoes not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638CriticalArtifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097HighFor LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
CVE-2008-4108HighDoes not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541HighDoes not affect Artifactory, since Artifactory uses Tar 1.30.1.

Insight

CVEs Impacting Insight

The following is a list of CVEs that were discovered to impact Insight and were fixed.

CVESeverity

Insight Fix Version

Fix Description
CVE-2022-22968High1.10.2spring-bootcore, has been upgraded from version 2.6.6 to version 2.6.7.
CVE-2020-36518High1.10.1jackson-databind, has been upgraded to version 2.13.2.1.
CVE-2022-22965Critical1.8.1sprint-bootcore, has been upgraded from version 2.6.2 to version 2.6.6.
CVE-2022-23181High1.7.0tomcat-embed-core, has been upgraded to version 9.0.58.
CVE-2022-21724Critical1.6.2pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-22569High1.6.2The protobuf-java component has been upgraded to version 3.19.2.
CVE-2021-22060Medium1.6.0Upgraded spring-web to version 5.3.14.
CVE-2021-42550Medium1.5.0Upgraded logback version to 1.2.9.
CVE-2021-31684High1.5.0Upgraded json-smart to version 1.3.3.
CVE-2021-21290Medium1.4.0Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final.
CVE-2021-22096Medium1.4.0Upgraded spring-web to version 5.3.12.

CVEs Not Impacting Insight

CVESeverityReason
CVE-2020-25649HighSearchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability.

Distribution

CVEs Impacting Distribution

The following is a list of CVEs that were discovered to impact Distribution and were fixed.

CVESeverity

Distribution Fix Version

Fix Description
CVE-2022-24785High2.12.3Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2022-21724Medium2.12.0pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-42550 Medium2.11.0Upgraded the logback.xml to version 1.2.9.

CVEs Not Impacting Distribution

The following is a list of CVEs that do not impact Distribution.

CVESeverityReason
CVE-2021-21309Critical

Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.



Mission Control

CVEs Impacting Mission Control

The following is a list of CVEs that were discovered to impact Mission Control and were fixed.

CVESeverity

Mission Control Fix Version

Fix Description
CVE-2021-37136High4.7.15Upgraded netty-codec to 4.1.68.Final.
CVE-2021-22149High4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-22148High4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-22147Medium4.7.14Upgraded Elasticsearch to 7.14.0.
CVE-2021-31684High4.7.13Upgraded Apache HttpClient to version 4.5.13.
CVE-2021-22112High4.7.13Upgraded spring-security-web to version 5.4.4.
CVE-2020-13956Medium4.7.13Upgraded json-smart to version 2.4.7.
CVE-2021-35517High4.7.11Upgraded common-compress to version 1.2.1.
CVE-2021-27568Critical 4.7.11Upgraded json-smart to version 2.4.7.
CVE-2020-28052High4.7.11Upgraded bc-java to version 1.6.7.

Vulnerabilities Without a CVE Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed. 

Fix DescriptionSeverityMission Control Fix Version
Updated netty-codec to version 4.1.66.Final.Critical4.7.11

Pipelines

CVEs Not Impacting Pipelines

The following is a list of CVEs that do not impact Pipelines.

CVESeverityPipelines Fix VersionReason
CVE-2021-23343High1.20.2

Does not affect Pipelines, since path-parse is not used by Pipelines.

CVE-2021-3918Critical1.20.2

Does not affect Pipelines. Though the vulnerable library json-schema is a sub-dependency of request@ 2.88.2, the vulnerable function validate is not called from request.

CVE-2021-23358High1.20.2

Does not affect Pipelines, since underscore@1.4.4 is a submodule of ssh-keygen and Pipelines is not calling the vulnerable template function.

Vulnerabilities Without a CVE Not Impacting Pipelines

The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines

DescriptionSeverityPipelines Fix VersionReason

Preventing remove-markdown RedDos

Medium1.23.2

RedDos vulnerable code will run with a timeout

Prototype pollution flaw in clean-css 4.2.4

High1.20.2

Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function

Prototype pollution flaw in node-forge 0.10.0 Critical
Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function.



Frontend

Vulnerabilities Without a CVE Not Impacting Frontend

The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend

DescriptionSeverityReason
Prototype pollution flaw in node-forge 0.10.0 CriticalDoes not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function.

Xray

CVEs Impacting Xray

The following is a list of CVEs that were discovered to impact Xray and were fixed.

CVESeverity

Xray Fix Version

Fix Description
CVE-2022-27191High3.49.0Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0

CVE-2022-24675

High3.48.2Upgraded Golang version to 1.17.9.
CVE-2022-24921High3.48.2Upgraded Golang version to 1.17.9.

CVE-2021-43816

Critical3.42.3Upgraded Containerd version to 1.5.9
CVE-2021-44717Medium3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-44716High 3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-41771High3.38.1Upgraded Golang version to 1.17.3.
CVE-2021-33196High3.34.1Upgraded Golang version to 1.15.13, 1.16.5.
  • No labels
Copyright © 2022 JFrog Ltd.