Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVESeverity
Artifactory Fix Version
Fix Description
CVE-2017-7525Critical6.1FasterXML jackson-databind was upgraded to version 2.93 and 2.8.10 and includes a fix to prevent unauthenticated remote code execution.
CVE-2016-8745High5.2.0Apache Tomcat was upgraded to version 8.0.41 that includes a fix for NIO HTTP connector vulnerability
CVE-2016-8735Critical5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-3092High5.0.0Apache Tomcat was upgraded to version 8.0.39
CVE-2016-6501Critical4.11.0Added the "Secure LDAP Search" in the Artifactory LDAP settings to protect against LDAP poisoning by filtering out users exposed to vulnerability
CVE-2014-3623High4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2015-0227Medium4.10.0Upgraded the wss4j library to version 1.6.17 and Apache CXF to version 2.7.13
CVE-2014-0114High4.10.0

Upgraded commons-beanutils to version 1.9.2

CVE-2015-7940Medium4.8.1

Upgraded the relevant libraries that included the Bouncy Castle Java library as a dependency

CVE-2013-4517Medium4.8.0Upgraded the relevant libraries that included the Apache XML Security For Java library as a dependency
CVE-2015-4852High4.5.2Upgraded the commons-collection library to version 3.2.2
CVE-2015-3253Critical4.2.1Upgraded the Groovy-all library to version 2.4.4
CVE-2014-0107High4.2.1Upgraded the Xalan library to version 2.7.2
CVE-2014-3577Medium3.3.1Upgraded the HttpClient library to version 4.3.5

 

The following is a list of CVEs that do not impact Artifactory.

CVESeverityReason
CVE-2017-5664High
Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648Critical
Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647HighDoes not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638CriticalArtifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097HighFor LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
  • No labels