Need help with other JFrog products?
Vulnerabilities Without a CVE Impacting Artifactory
The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed.
|Description||Severity||Artifactory Fix Version|
|Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.||Critical|
|A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.||High||6.5.13|
CVEs Not Impacting Artifactory
The following is a list of CVEs that do not impact Artifactory.
|CVE-2018-8014||High||The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.|
|CVE-2018-1275||High||The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability|
|Medium||JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.|
|CVE-2018-11776||High||Does not affect Artifactory, since JFrog does not use Apache Struts.|
|CVE-2018-5925||High||Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.|
|CVE-2018-5924||High||Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.|
|CVE-2018-1260||High||Does not affect Artifactory, since JFrog does not use Spring Security Oauth.|
|CVE-2018-1259||High||Does not affect Artifactory, since JFrog does not use Spring Data Commons.|
Does not affect Artifactory, since the default value for the
Does not affect Artifactory, since the the
|CVE-2017-5647||High||Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.|
|CVE-2017-5638||Critical||Artifactory is not affected by the Apache Struts 2 vulnerability.|
|CVE-2014-0097||High||For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.|
Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.