Vulnerabilities Without a CVE Impacting Artifactory
The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed.
Description | Severity | Artifactory Fix Version |
---|---|---|
Updated jackson-dataformats-binary to version 2.12.3 . | High | 7.21.3 |
Excluded the Plexus-cipher library. | Medium | 7.21.3 |
Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3. | High | 7.21.3 |
Upgraded to wiremock-jre8 version 2.28.0. | High | 7.21.3 |
Upgraded maven-shared-utils:3.2.1 to version 334. | Critical | 7.21.3 |
Under certain circumstances, authenticated users were able to:
| Critical | |
Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators. | Critical | 6.8.14, 6.9.3, 6.10.4 |
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. | Critical |
|
A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory. | High | 6.5.13 |
CVEs Not Impacting Artifactory
The following is a list of CVEs that do not impact Artifactory.
CVE | Severity | Artifactory Fix Version | Reason |
---|---|---|---|
CVE-2022-45047 | Critical | 7.52.0 | Does not affect Artifactory, since it only affects Apache MINA SSHD . |
High | 7.52.0 | Does not affect Artifactory, since it only affects SnakeYAML . | |
CVE-2022-1552 | High | 7.52.0 | Does not affect Artifactory, since it only affects Postgres . |
CVE-2022-27664 | High | 7.52.0 | Does not affect Artifactory, since it only affects Golang . |
CVE-2022-41720 | High | 7.52.0 | Does not affect Artifactory, since it only affects Golang . |
CVE-2022-28948 | High | 7.52.0 | Does not affect Artifactory, since it only affects Go-yaml . |
CVE-2021-33194 | High | 7.52.0 | Does not affect Artifactory, since it only affects golang.org/x/net . |
High | 7.52.0 | Does not affect Artifactory, since it only affects traefik . | |
CVE-2022-31159 | High | 7.52.0 | Does not affect Artifactory, since it only affects aws-java-sdk . |
CVE-2022-40716 | Medium | 7.52.0 | Does not affect Artifactory, since it only affects hashicorp . |
CVE-2022-41915 | Medium | 7.52.0 | Does not affect Artifactory, since it only affects Netty . |
CVE-2022-38749 | Medium | 7.52.0 | Does not affect Artifactory, since it only affects SnakeYAML and common . |
Critical | 7.50.3 | Does not affect Artifactory, since it only affects | |
High | 7.50.3 | Doesn't affect Artifactory, since it only affects | |
CVE-2022-31197 | High | 7.50.3 | Doesn't affect Artifactory, since it only affects |
High | 7.50.3 | Doesn't affect Artifactory, since it only affects | |
High | 7.49.3 | Doesn't affect Artifactory, since it only affects | |
High | 7.49.3 | Does not affect Artifactory, since it only affects Upgraded | |
High | 7.49.3 | Does not affect Artifactory, since it only affects | |
High | 7.49.3 | Does not affect Artifactory, since it only affects | |
High | 7.49.3 | Does not affect Artifactory, since it only affects | |
High | 7.49.3 | Does not affect Artifactory, since it only affects | |
High | 7.49.3 | Does not affect Artifactory, since it only affects | |
High | 7.49.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.49.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.49.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.49.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.49.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.49.3 | Does not affect Artifactory, since it only affects logrotate | |
Critical | 7.47.7 | Does not affect Artifactory, since it only affects | |
Critical | 7.47.7 | Does not affect Artifactory, since it only affects | |
Critical | 7.47.7 | Does not affect Artifactory, since it only affects | |
High | 7.47.7 | Does not affect Artifactory, since it only affects | |
High | 7.47.7 | Does not affect Artifactory, since it only affects | |
High | 7.47.7 | Does not affect Artifactory, since it only affects | |
CVE-2022-22970 | High | 7.46.3 | Does not affect Artifactory, since it only affects org.springframework:spring-beans . |
Medium | 7.47.7 | Does not affect Artifactory, since it only affects | |
Medium | 7.47.7 | Does not affect Artifactory, since it only affects | |
Medium | 7.47.7 | Does not affect Artifactory, since it only affects | |
Medium | 7.47.7 | Does not affect Artifactory, since it only affects | |
Medium | 7.47.7 | Does not affect Artifactory, since it only affects grpc-tools and | |
Medium | 7.47.7 |
| |
Medium | 7.47.7 | Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.golang.org/x/cryp . | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
CVE-2022-31030 | Medium | 7.46.3 | Does not affect Artifactory, since it only affects containerd. |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects org.springframework:spring-context. | |
CVE-2022-31197 | Medium | 7.46.3 | Does not affect Artifactory, since it only affects org.postgresql:postgresql. |
Critical | 7.46.3 | Does not affect Artifactory, since it only affects | |
High | 7.46.3 | Does not affect Artifactory, since it only affects | |
CVE-2022-22963 | Critical | 7.46.3 | Does not affect Artifactory, since it only affects |
High | 7.46.3 | Does not affect Artifactory, since it only affects | |
High | 7.46.3 | Does not affect Artifactory, since it only affects | |
High | 7.46.3 | Does not affect Artifactory, since it only affects | |
High | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affectsio.netty:netty-common. | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Medium | 7.46.3 | Does not affect Artifactory, since it only affects | |
Critical | 7.46.3 | Does not affect Artifactory, since it only affects | |
CVE-2022-22971 | Critical | 7.42.1 | Does not affect Artifactory, since it only affects spring-core. |
High | 7.42.1 | Does not affect Artifactory, since it only affects | |
High | 7.41.4 | Does not affect Artifactory, since it only affects jackson-databind. | |
CVE-2022-24823 | Medium | 7.41.4 | Does not affect Artifactory, since it only affects |
High | 7.41.4 | Does not affect Artifactory, since it only affects | |
Critical | 7.41.4 | Does not affect Artifactory, since it only affects spring-core. | |
High | 7.41.4 | Does not affect Artifactory, since it only affects | |
Critical | 7.39.4 | Does not affect Artifactory, since it only affects | |
High | 7.39.4 | Does not affect Artifactory, since it only affects consul. | |
Medium | 7.39.4 | Does not affect Artifactory, since it only affects containerd. | |
CVE-2022-27191 | High | 7.39.4 | Does not affect Artifactory, since it only affects golang.org/x/crypto/ssh. |
High | 7.39.4 | Does not affect Artifactory, since it only affects to containerd. | |
Medium | 7.39.4 | Does not affect Artifactory, since it only affects nodejs clients's axios. | |
Medium | 7.37.13 | Does not affect Artifactory, since it only affects | |
CVE-2021-3807 | High | 7.37.13 | Does not affect Artifactory, since it only affects |
CVE-2022-23806 | Critical | 7.37.13 | Does not affect Artifactory, since it only affects |
CVE-2021-41090 | Medium | 7.35.1 | Does not affect Artifactory, since it only affects docker and image-spec. |
Medium | 7.34.4 | Does not affect Artifactory, since it only affects org.springframework:spring-core:5.3.12. | |
Medium | 7.31.10 | Does not affect Artifactory, since it only affects | |
CVE-2017-9506 | Medium | 7.31.10 | Does not affect Artifactory, since it only affects IconUriServlet of the Atlasssian OAuth Plugin. |
Medium | 7.31.10 | Does not affect Artifactory, since it only affects mysql:mysql-connector-java:8.0.20. | |
CVE-2021-42340 | High | 7.31.10 | Does not affect Artifactory, since it only affects the Apache Tomcat versions: 9.0.48 and 8.5.73. |
CVE-2020-13949 | High | 7.31.10 | Does not affect Artifactory, since it only affects the jaege r 1.6.0 which uses Thrift 0.14.1. |
CVE-2021-35560 | High | 7.31.10 | Does not affect Artifactory, since it only affects Java. |
CVE-2021-36374 | Medium | 7.31.10 | Does not affect Artifactory, since it only affects the |
Medium | 7.27.3 | Does not affect Artifactory, since it only affects the Apache Tomcat. | |
High | 7.27.3 | Does not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch . | |
High | 7.27.3 | Does not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch . | |
High | 7.27.3 | Does not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch. | |
High | 7.25.4 | Does not affect Artifactory, since it only affects the org.apache.sshd:sshd-core:2.6.0. | |
CVE-2017-18640 | High | 7.25.4 | Does not affect Artifactory, since it only affects the Snakeyaml 1.23 XML Entity Expansion. |
Critical | 7.25.4 | Does not affect Artifactory, since it only affects the json-smart-1.3.1. | |
CVE-2021-27568 | Critical | 7.25.4 | Does not affect Artifactory, since it only affects the json-smart-1.3.1. |
Normal | 7.24.1 | Does not affect Artifactory, since it only affects the Maven version 3.8.1. | |
High | 7.24.1 | Does not affect Artifactory, since it only affects the Apache Velocity engine. | |
CVE-2018-9116 | Critical | 7.23.3 | Does not affect Artifactory, since it only affects wiremock. |
Critical | 7.21.3 | Does not affect Artifactory, since it only affects | |
High | 7.21.3 | Does not affect Artifactory, since it only affects Apache Maven. | |
Medium | 7.21.3 | Does not affect Artifactory, since it only affects netty-codec-http:4.1.53.final. | |
Medium | 7.21.3 | Does not affect Artifactory, since it only affects org.codehaus.groovy:groovy-all. | |
High | 7.17.4 | Does not affect Artifactory, since it only affects Spring Security Web. | |
CVE-2019-17571 | Medium | 7.15.3 | Does not affect Artifactory, since it only affects log4j-to-slf4j and log4j-api. |
High | 7.11.1 | Does not affect Artifactory, since it only affects h | |
Medium | 7.11.1 | Does not affect Artifactory, since it only affectsO | |
High | 7.11.1 | Does not affect Artifactory, since it only affects | |
High | 7.11.1 | Does not affect Artifactory, since it only affects | |
High | 7.10.5 | Does not affect Artifactory, since it only affects bcprov-jdk15. | |
High | 7.10.5 | Does not affect Artifactory, since it only affects at cryptacular-1.1.1.jar. | |
CVE-2020-7692 | Critical | 7.10.2 | Does not affect Artifactory, since it only affects google-oauth-client library. |
Medium | 7.10.1 | Does not affect Artifactory, since it only affects Commons-compress library. | |
Medium | 7.10.1 | Does not affect Artifactory, since it only affects Commons-compress library. | |
High | 7.10.1 | Does not affect Artifactory, since it only affects Go 1.14.9. | |
High | 7.10.1 | Does not affect Artifactory, since it only affects Crowd lib. | |
High | 7.10.1 | Does not affect Artifactory, since it only affects | |
High | 7.10.1 | Does not affect Artifactory, since it only affects | |
Critical | 7.10.1 | Does not affect Artifactory, since it only affects | |
High | 7.9.0 | Does not affect Artifactory, since it only affects lodash. | |
CVE-2020-1745 | Critical | 7.9.0 | Does not affect Artifactory, since it only affects io.undertow:undertow-core / 2.0.15.Final. |
CVE-2017-15095 | Critical | 7.8.1 | Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar . |
CVE-2017-17485 | Critical | 7.8.1 | Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar . |
CVE-2017-7525 | Critical | 7.8.1 | Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar . |
CVE-2020-13935 | High | 7.7.0 | Does not affect Artifactory, since it only affects Apache Tomcat . |
High | 7.7.0 | Does not affect Artifactory, since it only affects Apache Tomcat . | |
CVE-2020-11996 | High | 7.7.0 | Does not affect Artifactory, since it only affects Apache Tomcat . |
Critical | 6.23.25 | Does not affect Artifactory, since it only affects npm lodash library | |
CVE-2022-30591 | High | N/A | JFrog Artifactory is not affected, since it does not use the quic-go through 0.27.0. |
CVE-2022-42889 | Critical | N/A | JFrog Platform is not affected, since it does not use the impacted packages. |
CVE-2016-1000027 | Critical | N/A | Does not affect Artifactory, since it does not use the impacted HttpInvokerServiceExporter component for providing remote access. |
CVE-2022-34305 | Medium | N/A | Does not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version. |
CVE-2022-29885 | High | N/A | Does not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version. |
CVE-2018-10892 | High | N/A | Does not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory. |
CVE-2020-0187 | Medium | N/A | Does not affect Artifactory, since it only affects the Android Platform. |
CVE-2020-0187 | Medium | N/A | Does not affect Artifactory, since it only affects the Android Platform. |
N/A | Medium | N/A | Does not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory. |
N/A | Medium | N/A | Does not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender}} |
CVE-2017-7536 | High | N/A | Does not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator . |
CVE-2020-9484 | High | N/A | Does not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. |
CVE-2019-11888 | High | N/A | This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. |
CVE-2019-14809 | High | N/A | This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. |
CVE-2019-0232 | High | N/A | The enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory. |
CVE-2018-8014 | High | N/A | The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions. |
CVE-2018-1275 | High | N/A | The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability |
Medium | N/A | JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date. | |
CVE-2018-11776 | High | N/A | Does not affect Artifactory, since JFrog does not use Apache Struts. |
CVE-2018-5925 | High | N/A | Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog. |
CVE-2018-5924 | High | N/A | Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog. |
CVE-2018-5382 | High | N/A | Does not affect Artifactory, since JFrog does not use BKS-V1 keystore . |
CVE-2018-1260 | High | N/A | Does not affect Artifactory, since JFrog does not use Spring Security Oauth . |
CVE-2018-1259 | High | N/A | Does not affect Artifactory, since JFrog does not use Spring Data Commons . |
CVE-2017-5664 | High | N/A | Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..." |
CVE-2017-5648 | Critical | N/A | Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution. |
CVE-2017-5647 | High | N/A | Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory. |
CVE-2017-5638 | Critical | N/A | Artifactory is not affected by the Apache Struts 2 vulnerability. |
CVE-2014-0097 | High | N/A | For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator , wrapping the ArtifactoryBindAuthenticator . The latter class is the one used to perform the actual authentication and it does check for empty passwords.Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider . This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator , that is not part of Spring Security and Artifactory. |
CVE-2008-4108 | High | N/A | Does not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog. |
CVE-2005-2541 | High | N/A | Does not affect Artifactory, since Artifactory uses Tar 1.30.1. |
Insight
CVEs Impacting Insight
The following is a list of CVEs that were discovered to impact Insight and were fixed.
CVE | Severity | Insight Fix Version | Fix Description |
---|---|---|---|
CVE-2022-31692 | Critical | 1.13.0 | Upgraded Upgraded |
CVE-2022-23181 | High | 1.7.0 | tomcat-embed-core , has been upgraded to version 9.0.58. |
CVE-2021-22060 | Medium | 1.6.0 | Upgraded spring-web to version 5.3.14. |
CVE-2021-42550 | Medium | 1.5.0 | Upgraded logback version to 1.2.9. |
CVE-2021-22096 | Medium | 1.4.0 | Upgraded spring-web to version 5.3.12. |
CVEs Not Impacting Insight
CVE | Severity | Insight Fix Version | Reason |
---|---|---|---|
CVE-2022-42003 | High | N/A | Upgraded |
CVE-2022-3171 | High | N/A | Does not affect Insight, since it only affects protobuf-java. |
CVE-2022-42252 | High | N/A | Upgraded Tomcat to version 9.0.69. |
CVE-2019-13990 | High | N/A | Upgraded quartz-scheduler to version 2.3.2. |
CVE-2022-25857 | High | 1.12.1 | SnakeYAML has been upgraded from version 1.30 to version 1.31. |
CVE-2022-31197 | High | 1.12.0 | PostgreSQL JDBC Driver (pgjdbc) has been upgraded from version 42.3.3 to version 42.4.1 |
CVE-2022-23708 | Medium | 1.11.3 | Elasticsearch has been upgraded from version 7.16.3 to version 7.17.1. |
CVE-2021-31684 | High | 1.5.0 | Upgraded json-smart to version 1.3.3. |
CVE-2021-21290 | Medium | 1.4.0 | Upgraded netty-codec-http:4.1.53.final to 4.1.59.Final . |
CVE-2022-22970 | Medium | 1.11.3 | spring-bootcore , has been upgraded from version 2.6.7 to version 2.7.0. |
CVE-2022-22968 | High | 1.10.2 | spring-bootcore , has been upgraded from version 2.6.6 to version 2.6.7. |
CVE-2020-36518 | High | 1.10.1 | jackson-databind , has been upgraded to version 2.13.2.1. |
CVE-2022-22965 | Critical | 1.8.1 | sprint-bootcore , has been upgraded from version 2.6.2 to version 2.6.6. |
CVE-2022-21724 | Critical | 1.6.2 | pgjdbc , the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25. |
CVE-2021-22569 | High | 1.6.2 | The protobuf-java component has been upgraded to version 3.19.2. |
CVE-2020-25649 | High | N/A | Searchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability. |
Distribution
CVEs Not Impacting Distribution
The following is a list of CVEs that do not impact Distribution.
CVE | Severity | Distribution Fix Version | Reason |
---|---|---|---|
CVE-2022-45143 | High | N/A | Distribution does not use the vulnerable API. |
Medium | N/A | Updating the drivers to 42.5.1 fixed the vulnerability. | |
CVE-2022-42889 | Critical | N/A | Upgraded to a fixed version, although Distribution does not use the vulnerable API. |
CVE-2022-31692 | Critical | N/A | Upgraded to a fixed version. |
CVE-2022-3171 | High | N/A | Upgraded to a fixed version. |
CVE-2022-42004 | High | N/A | Upgraded to a fixed version. |
CVE-2022-38750 | Medium | N/A | Upgraded to a fixed version. |
CVE-2022-38749 | Medium | N/A | Upgraded to a fixed version. |
CVE-2022-1471 | Critical | N/A | Does not affect Distribution since Distribution does not use the potentially-harmful constructor. |
CVE-2022-42252 | High | N/A | Does not affect Distribution since the product uses Tomcat version 9.0.58 and doesn’t redefine rejectIllegalHeader , so its effective value is “true“ (default). |
CVE-2016-1000027 | Critical | N/A | Does not affect Distribution since Distribution is not using the vulnerable API. |
CVE-2022-22978 | High | N/A | Upgraded spring-security-web to version 5.7.0. |
CVE-2022-22968 | Medium | N/A | Upgraded spring-context to version 5.3.21. |
CVE-2022-22970 | Medium | N/A | Upgraded spring-beans to version 5.3.21. |
CVE-2021-21309 | Critical | N/A | Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system. |
CVE-2022-24785 | High | 2.12.3 | Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js . |
CVE-2022-21724 | Medium | 2.12.0 | pgjdbc , the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25. |
CVE-2021-42550 | Medium | 2.11.0 | Upgraded the logback.xml to version 1.2.9. |
CVE-2022-24823 | Medium | N/A | Does not affect Distribution, since the vulnerability only impacts applications running on Java version 6 and lower. |
Mission Control
CVEs Not Impacting Mission Control
CVE | Severity | Mission Control Fix Version | Reason |
---|---|---|---|
CVE-2021-37136 | High | 4.7.15 | Upgraded netty-codec to 4.1.68.Final. |
CVE-2021-22149 | High | 4.7.14 | Upgraded Elasticsearch to 7.14.0. |
CVE-2021-22148 | High | 4.7.14 | Upgraded Elasticsearch to 7.14.0. |
CVE-2021-22147 | Medium | 4.7.14 | Upgraded Elasticsearch to 7.14.0. |
CVE-2021-31684 | High | 4.7.13 | Upgraded Apache HttpClient to version 4.5.13. |
CVE-2021-22112 | High | 4.7.13 | Upgraded spring-security-web to version 5.4.4. |
CVE-2020-13956 | Medium | 4.7.13 | Upgraded json-smart to version 2.4.7. |
CVE-2021-35517 | High | 4.7.11 | Upgraded common-compress to version 1.2.1. |
CVE-2021-27568 | Critical | 4.7.11 | Upgraded json-smart to version 2.4.7. |
CVE-2020-28052 | High | 4.7.11 | Upgraded bc-java to version 1.6.7. |
CVE-2020-8908 | Low | N/A | Does not affect Mission Control, since JFrog does not use the com.google.common.io.Files.createTempDir() function. |
Vulnerabilities Without a CVE Impacting Mission Control
The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed.
Fix Description | Severity | Mission Control Fix Version |
---|---|---|
Updated netty-codec to version 4.1.66.Final. | Critical | 4.7.11 |
Vulnerabilities Without a CVE Not Impacting Mission Control
The following is a list of vulnerabilities that do not have a CVE and that do not impact Mission Control.
Fix Description | Severity | Mission Control Fix Version |
---|---|---|
Flyway insecure logging local password disclosure ( | High | "Not Affected" 3rd party package: The default log level is set to WARN. |
Pipelines
CVEs Impacting Pipelines
CVE | Severity | Pipelines Fix Version | Reason |
---|---|---|---|
CVE-2022-24921 | High | 1.27.0 | User can cause stack exhaustion using jfrog cli in a step, but this would merely lead to a step failing. |
CVE-2022-30634 | High | 1.27.0 | Jfrog cli prevents a max buffer from being passed by the user. |
CVE-2022-0235 | Medium | 1.24.0 | Removed node-fetch dependency. |
CVEs Not Impacting Pipelines
The following is a list of CVEs that do not impact Pipelines.
CVE | Severity | Pipelines Fix Version | Reason |
---|---|---|---|
CVE-2021-43138 | High | N/A | Does not affect Pipelines. Removed an unnecessary dependency from the Pipelines build agent. |
CVE-2021-41248 | High | N/A | Does not affect Pipelines. Removed an unnecessary dependency from the Pipelines build agent. |
High | 1.25.1 | Upgraded Node.js to version 16.16.0. | |
CVE-2022-32213 | Critical | 1.25.1 | Upgraded Node.js to version 16.16.0. |
CVE-2022-32214 | Critical | 1.25.1 | Upgraded Node.js to version 16.16.0. |
CVE-2022-32215 | Critical | 1.25.1 | Upgraded Node.js to version 16.16.0. |
CVE-2022-32223 | High | 1.25.1 | Upgraded Node.js to version 16.16.0. |
CVE-2021-23343 | High | 1.20.2 | Does not affect Pipelines, since |
CVE-2021-3918 | Critical | 1.20.2 | Does not affect Pipelines. Though the vulnerable library |
CVE-2021-23358 | High | 1.20.2 | Does not affect Pipelines, since |
CVE-2022-25648 | High | N/A | Does not impact Pipelines as core services control what commands are passed in to the git command. |
Vulnerabilities Without a CVE Not Impacting Pipelines
The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines
Description | Severity | Pipelines Fix Version | Reason |
---|---|---|---|
Preventing | Medium | 1.23.2 |
|
Prototype pollution flaw in | High | 1.20.2 | Does not affect Pipelines, since |
Prototype pollution flaw in node-forge 0.10.0 | Critical | N/A | Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function. |
Frontend
Vulnerabilities Without a CVE Not Impacting Frontend
The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend
Description | Severity | Reason |
---|---|---|
Prototype pollution flaw in node-forge 0.10.0 | Critical | Does not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function. |
Xray
CVEs Impacting Xray
The following is a list of CVEs that were discovered to impact Xray and were fixed.
CVE | Severity | Xray Fix Version | Fix Description |
---|---|---|---|
CVE-2022-31030 | Medium | 3.60.2 | Upgraded github.com/containerd/containerd version to 1.5.13. |
CVE-2022-28948 | High | 3.60.2 | Upgraded gopkg.in/yaml.v3:3.0.0-20200313102051 version to gopkg.in/yaml.v3:3.0.1. |
CVE-2022-27664 | High | 3.60.2 3.61.5 | Upgraded golang.org/x/net v0.0.0-20220722155237 to golang.org/x/net version 0.1.0Upgraded golang.org/x/sys v0.0.0-20220722155237 to golang.org/x/sys v0.1.0Upgraded golang.org/x/net v0.3.7 to golang.org/x/text v0.4.0. |
CVE-2022-32149 | High | 3.60.2 | Upgraded from 0.3.7 to 0.3.8. |
CVE-2022-32189 | High | 3.59.4 | Upgraded Golang version to 1.18.5. |
CVE-2021-38197 | Critical | 3.57.6 | Upgraded go-unarr library to version v0.1.4. |
CVE-2022-29526 | Medium | 3.55.2 | Upgraded Golang version to 1.18.4. |
CVE-2022-30634 | High | 3.55.2 | Upgraded Golang version to 1.18.4. |
CVE-2022-30632 | High | 3.55.2 | Upgraded Golang version to 1.18.4. |
CVE-2022-30630 | High | 3.55.2 | Upgraded Golang version to 1.18.4. |
CVE-2022-30631 | High | 3.55.2 | Upgraded Golang version to 1.18.4. |
CVE-2022-24769 | Medium | 3.54.5 | Upgraded Containerd version to 1.5.11. |
CVE-2022-29526 | Medium | 3.54.5 | Upgraded to Golang version to 1.17.11. |
CVE-2022-23806 | Critical | 3.50.3 | Upgraded JFrog router version to 7.39.0. |
CVE-2022-27191 | High | 3.49.0 | Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0. |
High | 3.48.2 | Upgraded Golang version to 1.17.9. | |
CVE-2022-24921 | High | 3.48.2 | Upgraded Golang version to 1.17.9. |
Critical | 3.42.3 | Upgraded Containerd version to 1.5.9. | |
CVE-2021-44717 | Medium | 3.41.4 | Upgraded Golang version to 1.17.5. |
CVE-2021-44716 | High | 3.41.4 | Upgraded Golang version to 1.17.5. |
CVE-2021-41771 | High | 3.38.1 | Upgraded Golang version to 1.17.3. |
CVE-2021-33196 | High | 3.34.1 | Upgraded Golang version to 1.15.13, 1.16.5. |
Xray
CVEs Not Impacting Xray
The following is a list of CVEs that do not impact Xray.
CVE | Severity | Xray Fix Version | Fix Description |
---|---|---|---|
CVE-2021-38197 | Critical | 3.57.6 | Upgraded go-unarr library to version v0.1.4. |