|CVE-2018-8014||High||The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.|
|CVE-2018-1275||High||The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability|
|Medium||JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.|
|CVE-2018-11776||High||Does not affect Artifactory, since JFrog does not use Apache Struts.|
|CVE-2018-5925||High||Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.|
|CVE-2018-5924||High||Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.|
|CVE-2018-1260||High||Does not affect Artifactory, since JFrog does not use Spring Security Oauth.|
|CVE-2018-1259||High||Does not affect Artifactory, since JFrog does not use Spring Data Commons.|
Does not affect Artifactory, since the default value for the
property in the DefaultServlet is "
in our environment. As mentioned in the CVE
, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
Does not affect Artifactory, since the the
tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
|CVE-2017-5647||High||Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.|
|CVE-2017-5638||Critical||Artifactory is not affected by the Apache Struts 2 vulnerability.|
|CVE-2014-0097||High||For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.|
Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue
refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.