The following is a list of CVEs that were discovered to impact Artifactory and were fixed.
Artifactory Fix Version
|CVE-2017-7525||Critical||6.1||FasterXML jackson-databind was upgraded to version 2.93 and 2.8.10 and includes a fix to prevent unauthenticated remote code execution.|
|CVE-2016-6501||Critical||4.11.0||Added the "Secure LDAP Search" in the Artifactory LDAP settings to protect against LDAP poisoning by filtering out users exposed to vulnerability|
|CVE-2014-3623||High||4.10.0||Upgraded the |
|CVE-2015-0227||Medium||4.10.0||Upgraded the |
Upgraded the relevant libraries that included the
|CVE-2013-4517||Medium||4.8.0||Upgraded the relevant libraries that included the |
|CVE-2015-4852||High||4.5.2||Upgraded the |
|CVE-2015-3253||Critical||4.2.1||Upgraded the |
|CVE-2014-0107||High||4.2.1||Upgraded the |
|CVE-2014-3577||Medium||3.3.1||Upgraded the |
The following is a list of CVEs that do not impact Artifactory.
|CVE-2018-11776||High||Does not affect Artifactory, since JFrog does not use Apache Struts.|
|CVE-2018-5925||High||Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.|
|CVE-2018-5924||High||Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.|
|CVE-2018-1260||High||Does not affect Artifactory, since JFrog does not use Spring Security Oauth.|
|CVE-2018-1259||High||Does not affect Artifactory, since JFrog does not use Spring Data Commons.|
Does not affect Artifactory, since the default value for the
Does not affect Artifactory, since the the
|CVE-2017-5647||High||Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.|
|CVE-2017-5638||Critical||Artifactory is not affected by the Apache Struts 2 vulnerability.|
|CVE-2014-0097||High||For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.|
Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.