Search


Cloud customer?
Upgrade in MyJFrog >

Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)




Skip to end of metadata
Go to start of metadata

CVEs Impacting Artifactory

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVESeverity
Artifactory Fix Version
Fix Description
CVE-2018-1000206High6.1Artifactory now validates the actual value of the X-Request-With header instead of checking the existence of it
CVE-2017-7525Critical6.1FasterXML jackson-databind was upgraded to version 2.93 and 2.8.10 and includes a fix to prevent unauthenticated remote code execution.
CVE-2016-8745High5.2.0Apache Tomcat was upgraded to version 8.0.41 that includes a fix for NIO HTTP connector vulnerability
CVE-2016-8735Critical5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-3092High5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-6501Critical4.11.0Added the "Secure LDAP Search" in the Artifactory LDAP settings to protect against LDAP poisoning by filtering out users exposed to vulnerability
CVE-2014-3623High4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2015-0227Medium4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2014-0114High4.10.0

Upgraded commons-beanutils to version 1.9.2

CVE-2015-7940Medium4.8.1

Upgraded the relevant libraries that included the Bouncy Castle Java library as a dependency

CVE-2013-4517Medium4.8.0Upgraded the relevant libraries that included the Apache XML Security For Java library as a dependency
CVE-2015-4852High4.5.2Upgraded the commons-collection library to version 3.2.2
CVE-2015-3253Critical4.2.1Upgraded the Groovy-all library to version 2.4.4
CVE-2014-0107High4.2.1Upgraded the Xalan library to version 2.7.2
CVE-2014-3577Medium3.3.1Upgraded the HttpClient library to version 4.3.5
Page Contents

Vulnerabilities Without a CVE Impacting Artifactory

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed. 

DescriptionSeverityArtifactory Fix Version
Under certain circumstances, authenticated users were able to:
  • Retrieve environment information from Artifactory that normally required administrative rights.
  • Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.
Critical

6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2

Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.Critical6.8.14, 6.9.3, 6.10.4
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.Critical

  • 5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5

  • 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9

A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.High6.5.13


CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVESeverityReason
CVE-2020-9484HighDoes not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. 
CVE-2019-11888HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-14809HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-0232HighThe enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014HighThe JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275HighThe JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability

CVE-2018-8589

MediumJFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776HighDoes not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382HighDoes not affect Artifactory, since JFrog does not use BKS-V1 keystore.
CVE-2018-1260HighDoes not affect Artifactory, since JFrog does not use Spring Security Oauth.
CVE-2018-1259HighDoes not affect Artifactory, since JFrog does not use Spring Data Commons.
CVE-2017-5664High
Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648Critical
Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647HighDoes not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638CriticalArtifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097HighFor LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
CVE-2008-4108HighDoes not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541HighDoes not affect Artifactory, since Artifactory uses Tar 1.30.1.
  • No labels
Copyright © 2020 JFrog Ltd.