Vulnerabilities Without a CVE Impacting Artifactory
The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed.
Description | Severity | Artifactory Fix Version |
---|---|---|
Updated jackson-dataformats-binary to version 2.12.3 . | High | 7.21.3 |
Excluded the Plexus-cipher library. | Medium | 7.21.3 |
Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3. | High | 7.21.3 |
Upgraded to wiremock-jre8 version 2.28.0. | High | 7.21.3 |
Upgraded maven-shared-utils:3.2.1 to version 334. | Critical | 7.21.3 |
Under certain circumstances, authenticated users were able to:
| Critical | |
Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators. | Critical | 6.8.14, 6.9.3, 6.10.4 |
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. | Critical |
|
A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory. | High | 6.5.13 |
CVEs Not Impacting Artifactory
The following is a list of CVEs that do not impact Artifactory.
CVE | Severity | Reason |
---|---|---|
CVE-2018-10892 | High | Does not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory. |
CVE-2020-0187 | Medium | Does not affect Artifactory, since it only affects the Android Platform. |
CVE-2020-0187 | Medium | Does not affect Artifactory, since it only affects the Android Platform. |
N/A | Medium | Does not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory. |
N/A | Medium | Does not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender }} |
CVE-2017-7536 | High | Does not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator . |
CVE-2020-9484 | High | Does not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. |
CVE-2019-11888 | High | This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. |
CVE-2019-14809 | High | This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. |
CVE-2019-0232 | High | The enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory. |
CVE-2018-8014 | High | The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions. |
CVE-2018-1275 | High | The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability |
Medium | JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date. | |
CVE-2018-11776 | High | Does not affect Artifactory, since JFrog does not use Apache Struts. |
CVE-2018-5925 | High | Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog. |
CVE-2018-5924 | High | Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog. |
CVE-2018-5382 | High | Does not affect Artifactory, since JFrog does not use BKS-V1 keystore. |
CVE-2018-1260 | High | Does not affect Artifactory, since JFrog does not use Spring Security Oauth. |
CVE-2018-1259 | High | Does not affect Artifactory, since JFrog does not use Spring Data Commons. |
CVE-2017-5664 | High | Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..." |
CVE-2017-5648 | Critical | Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution. |
CVE-2017-5647 | High | Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory. |
CVE-2017-5638 | Critical | Artifactory is not affected by the Apache Struts 2 vulnerability. |
CVE-2014-0097 | High | For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords. Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory. |
CVE-2008-4108 | High | Does not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog. |
CVE-2005-2541 | High | Does not affect Artifactory, since Artifactory uses Tar 1.30.1. |
Insight
CVEs Impacting Insight
The following is a list of CVEs that were discovered to impact Insight and were fixed.
CVE | Severity | Insight Fix Version | Fix Description |
---|---|---|---|
CVE-2022-22968 | High | 1.10.2 | spring-bootcore , has been upgraded from version 2.6.6 to version 2.6.7. |
CVE-2020-36518 | High | 1.10.1 | jackson-databind , has been upgraded to version 2.13.2.1. |
CVE-2022-22965 | Critical | 1.8.1 | sprint-bootcore , has been upgraded from version 2.6.2 to version 2.6.6. |
CVE-2022-23181 | High | 1.7.0 | tomcat-embed-core , has been upgraded to version 9.0.58. |
CVE-2022-21724 | Critical | 1.6.2 | pgjdbc , the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25. |
CVE-2021-22569 | High | 1.6.2 | The protobuf-java component has been upgraded to version 3.19.2. |
CVE-2021-22060 | Medium | 1.6.0 | Upgraded spring-web to version 5.3.14. |
CVE-2021-42550 | Medium | 1.5.0 | Upgraded logback version to 1.2.9 . |
CVE-2021-31684 | High | 1.5.0 | Upgraded json-smart to version 1.3.3. |
CVE-2021-21290 | Medium | 1.4.0 | Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final . |
CVE-2021-22096 | Medium | 1.4.0 | Upgraded spring-web to version 5.3.12. |
CVEs Not Impacting Insight
CVE | Severity | Reason |
---|---|---|
CVE-2020-25649 | High | Searchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability. |
Distribution
CVEs Impacting Distribution
The following is a list of CVEs that were discovered to impact Distribution and were fixed.
CVE | Severity | Distribution Fix Version | Fix Description |
---|---|---|---|
CVE-2022-24785 | High | 2.12.3 | Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. |
CVE-2022-21724 | Medium | 2.12.0 | pgjdbc , the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25. |
CVE-2021-42550 | Medium | 2.11.0 | Upgraded the logback.xml to version 1.2.9. |
CVEs Not Impacting Distribution
The following is a list of CVEs that do not impact Distribution.
CVE | Severity | Reason |
---|---|---|
CVE-2021-21309 | Critical | Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system. |
Mission Control
CVEs Impacting Mission Control
The following is a list of CVEs that were discovered to impact Mission Control and were fixed.
CVE | Severity | Mission Control Fix Version | Fix Description |
---|---|---|---|
CVE-2021-37136 | High | 4.7.15 | Upgraded netty-codec to 4.1.68.Final. |
CVE-2021-22149 | High | 4.7.14 | Upgraded Elasticsearch to 7.14.0. |
CVE-2021-22148 | High | 4.7.14 | Upgraded Elasticsearch to 7.14.0. |
CVE-2021-22147 | Medium | 4.7.14 | Upgraded Elasticsearch to 7.14.0. |
CVE-2021-31684 | High | 4.7.13 | Upgraded Apache HttpClient to version 4.5.13. |
CVE-2021-22112 | High | 4.7.13 | Upgraded spring-security-web to version 5.4.4. |
CVE-2020-13956 | Medium | 4.7.13 | Upgraded json-smart to version 2.4.7. |
CVE-2021-35517 | High | 4.7.11 | Upgraded common-compress to version 1.2.1. |
CVE-2021-27568 | Critical | 4.7.11 | Upgraded json-smart to version 2.4.7. |
CVE-2020-28052 | High | 4.7.11 | Upgraded bc-java to version 1.6.7. |
Vulnerabilities Without a CVE Impacting Mission Control
The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed.
Fix Description | Severity | Mission Control Fix Version |
---|---|---|
Updated netty-codec to version 4.1.66.Final. | Critical | 4.7.11 |
Pipelines
CVEs Not Impacting Pipelines
The following is a list of CVEs that do not impact Pipelines.
CVE | Severity | Pipelines Fix Version | Reason |
---|---|---|---|
CVE-2021-23343 | High | 1.20.2 | Does not affect Pipelines, since path-parse is not used by Pipelines. |
CVE-2021-3918 | Critical | 1.20.2 | Does not affect Pipelines. Though the vulnerable library |
CVE-2021-23358 | High | 1.20.2 | Does not affect Pipelines, since underscore@1.4.4 is a submodule of ssh-keygen and Pipelines is not calling the vulnerable template function. |
Vulnerabilities Without a CVE Not Impacting Pipelines
The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines
Description | Severity | Pipelines Fix Version | Reason |
---|---|---|---|
Preventing remove-markdown RedDos | Medium | 1.23.2 | RedDos vulnerable code will run with a timeout |
Prototype pollution flaw in clean-css 4.2.4 | High | 1.20.2 | Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function |
Prototype pollution flaw in node-forge 0.10.0 | Critical | Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function. |
Frontend
Vulnerabilities Without a CVE Not Impacting Frontend
The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend
Description | Severity | Reason |
---|---|---|
Prototype pollution flaw in node-forge 0.10.0 | Critical | Does not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function. |
Xray
CVEs Impacting Xray
The following is a list of CVEs that were discovered to impact Xray and were fixed.
CVE | Severity | Xray Fix Version | Fix Description |
---|---|---|---|
CVE-2022-27191 | High | 3.49.0 | Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0 |
High | 3.48.2 | Upgraded Golang version to 1.17.9. | |
CVE-2022-24921 | High | 3.48.2 | Upgraded Golang version to 1.17.9. |
Critical | 3.42.3 | Upgraded Containerd version to 1.5.9 | |
CVE-2021-44717 | Medium | 3.41.4 | Upgraded Golang version to 1.17.5. |
CVE-2021-44716 | High | 3.41.4 | Upgraded Golang version to 1.17.5. |
CVE-2021-41771 | High | 3.38.1 | Upgraded Golang version to 1.17.3. |
CVE-2021-33196 | High | 3.34.1 | Upgraded Golang version to 1.15.13, 1.16.5. |