Using the latest version?
JFrog Platform User Guide
JFrog Artifactory 6.x Documentation
To get the latest version, go to the JFrog Unified Platform
Vulnerabilities Without a CVE Impacting Artifactory
The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed.
| Description | Severity | Artifactory Fix Version |
|---|---|---|
Under certain circumstances, authenticated users were able to:
| Critical | |
| Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators. | Critical | 6.8.14, 6.9.3, 6.10.4 |
| Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user. | Critical |
|
| A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory. | High | 6.5.13 |
CVEs Not Impacting Artifactory
The following is a list of CVEs that do not impact Artifactory.
| CVE | Severity | Reason |
|---|---|---|
| CVE-2019-0232 | High | The enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory. |
| CVE-2018-8014 | High | The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions. |
| CVE-2018-1275 | High | The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability |
| Medium | JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date. | |
| CVE-2018-11776 | High | Does not affect Artifactory, since JFrog does not use Apache Struts. |
| CVE-2018-5925 | High | Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog. |
| CVE-2018-5924 | High | Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog. |
| CVE-2018-1260 | High | Does not affect Artifactory, since JFrog does not use Spring Security Oauth. |
| CVE-2018-1259 | High | Does not affect Artifactory, since JFrog does not use Spring Data Commons. |
| CVE-2017-5664 | High | Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..." |
| CVE-2017-5648 | Critical | Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution. |
| CVE-2017-5647 | High | Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory. |
| CVE-2017-5638 | Critical | Artifactory is not affected by the Apache Struts 2 vulnerability. |
| CVE-2014-0097 | High | For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords. Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory. |
| CVE-2008-4108 | High | Does not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog. |
| CVE-2005-2541 | High | Does not affect Artifactory, since Artifactory uses Tar 1.30.1. |
Overview
Content Tools