Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >





Artifactory

CVEs Impacting Artifactory

The following is a list of CVEs that were discovered to impact Artifactory and were fixed.

CVESeverity
Artifactory Fix Version
Fix Description
CVE-2022-32213Critical7.41.7Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.41.7Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.41.7Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.41.7Upgraded Node.js to version 16.16.0.

CVE-2021-22573

High7.41.4

Upgraded the google-oauth-client to version 1.33.3.

 CVE-2022-32212

Critical7.39.10Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical7.39.10 Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.39.10Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.39.10Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.39.10 Upgraded Node.js to version 16.16.0.

CVE-2022-32212

Critical7.38.16Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical7.38.16Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.38.16 Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.38.16 Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.38.16 Upgraded Node.js to version 16.16.0.

CVE-2022-32212

Critical7.37.17Upgraded Node.js to version 16.16.0.
CVE-2022-32213Critical7.37.17Upgraded Node.js to version 16.16.0.
CVE-2022-32214Critical7.37.17 Upgraded Node.js to version 16.16.0.
CVE-2022-32215Critical7.37.18 Upgraded Node.js to version 16.16.0.
CVE-2022-32223Critical7.37.17 Upgraded Node.js to version 16.16.0.
CVE-2021-38561High7.37.13

Upgraded internal/language/parse.go version 0.3.6 to version 0.3.7.

CVE-2021-41091

Medium7.35.1Upgraded to docker v20.10.9.
Upgraded image-spec v.1.0.2.

CVE-2021-3765

High7.31.10

Upgraded the validator version to 13.6.0.

CVE-2020-29582

Medium7.25.4
(Cloud)
Updated to the latest release of Koplin from version 1.3.50 to 1.5.20.

CVE-2019-20104

High7.24.1

Upgraded Crowd version to 3.7.2.

CVE-2020-14340

Medium7.21.3Upgraded org.jboss.xnio:xnio-nio to version 3.8.4.Final.
High7.17.4

Upgraded to Apache Tomcat version 8.5.63.

Medium7.15.3

Upgraded org.hibernate:hibernate-validator to version 6.0.18.

CVE-2017-18214High6.23.25npm moment.js library was upgraded to version 2.19.3.
CVE-2017-18640High6.23.0Upgraded snakeyaml-1.23.jar from version 1.26 to 1.27. 
CVE-2020-7692Critical6.23.0Upgraded google-oauth-client library from version 1.27 to 1.31.

CVE-2019-12402 

Medium6.23.0Upgraded Commons-compress lib was upgraded to version 1.20. 
CVE-2020-15586 and Go issue golang.org/issue/34902High6.23.0Upgraded to the latest version of Go 1.14.9. 
CVE-2019-20104High6.23.0Upgraded Crowd lib to 3.7.2 version. 
CVE-2018-1000206High6.1Artifactory now validates the actual value of the X-Request-With header instead of checking the existence of it.
Page Contents


Vulnerabilities Without a CVE Impacting Artifactory

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed. 

DescriptionSeverityArtifactory Fix Version
Updated jackson-dataformats-binary to version 2.12.3.High7.21.3
Excluded the Plexus-cipher library.Medium7.21.3
Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3.High7.21.3
Upgraded to wiremock-jre8 version 2.28.0.High

7.21.3

Upgraded maven-shared-utils:3.2.1 to version 334.Critical7.21.3
Under certain circumstances, authenticated users were able to:
  • Retrieve environment information from Artifactory that normally required administrative rights.
  • Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.
Critical

6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2

Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.Critical6.8.14, 6.9.3, 6.10.4
Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.Critical
  • 5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5

  • 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9

A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.High6.5.13

CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVESeverityReason

CVE-2019-20444

CVE-2019-20445

CVE-2019-16869

Critical

Does not affect Artifactory, since it only affects software.amazon.awssdk:licensemanager.


CVE-2021-26291

Critical

Does not affect Artifactory, since it only affects org.apache.maven.maven-project.

CVE-2022-1962

CVE-2022-28131

CVE-2022-30633

CVE-2022-30635

Critical

Does not affect Artifactory, since it only affects snakeyaml.

CVE-2021-44906

High

Does not affect Artifactory, since it only affects grpc-tools.

CVE-2021-3807

High

Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-25857

High

Does not affect Artifactory, since it only affects snakeyaml.

CVE-2022-22970HighDoes not affect Artifactory, since it only affects org.springframework:spring-beans.

CVE-2022-24823

Medium

Does not affect Artifactory, since it only affects io.netty.

CVE-2020-7789 

Medium

Does not affect Artifactory, since it only affects
grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-0235

Medium

Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-30187

Medium

Does not affect Artifactory, since it only affects azure-storage-blob andv azure-core-http-okhttp.

CVE-2020-7608

Medium

Does not affect Artifactory, since it only affects grpc-tools and 
grpc_tools_node_protoc_ts.

CVE-2022-25878

Medium

Does not affect Artifactory, since it only affects grpc-tools and 
grpc_tools_node_protoc_ts.

CVE-2022-27191

MediumDoes not affect Artifactory, since it only affects grpc-tools and 
grpc_tools_node_protoc_ts.golang.org/x/cryp.

CVE-2022-27191

Medium

Does not affect Artifactory, since it only affects golang.org/x/crypto/ssh.

CVE-2022-31030MediumDoes not affect Artifactory, since it only affects containerd.

CVE-2022-22968

MediumDoes not affect Artifactory, since it only affects org.springframework:spring-context.
CVE-2022-31197MediumDoes not affect Artifactory, since it only affects org.postgresql:postgresql.

CVE-2021-37136

CVE-2021-37137

Critical

Does not affect Artifactory, since it only affects io.netty:netty-codec:4.1.63.

CVE-2020-36518

High

Does not affect Artifactory, since it only affects jackson-databind. 

CVE-2022-22963

Critical 

Does not affect Artifactory, since it only affects spring-core 5.3.18.

CVE-2022-2048

High

Does not affect Artifactory, since it only affects org.eclipse.jetty.

CVE-2022-31159

High

Does not affect Artifactory, since it only affects aws-java-sdk.

CVE-2021-3807

High

Does not affect Artifactory, since it only affects jest-junit and ansi-regex.

CVE-2020-28469

High

Does not affect Artifactory, since it only affects glob-parent.

CVE-2021-20066

Medium

Does not affect Artifactory, since it only affects jest.

CVE-2022-0235

Medium

Does not affect Artifactory, since it only affects grpc-tools.

CVE-2020-7608


Medium

Does not affect Artifactory, since it only affects yargs and yargs-parser.

CVE-2022-22950

Medium

Does not affect Artifactory, since it only affects org.springframework:spring-expression.

CVE-2021-22096

CVE-2021-22060

Medium

Does not affect Artifactory, since it only affects org.spring framework:spring-core.


CVE-2022-24823

Medium

Does not affect Artifactory, since it only affectsio.netty:netty-common.

CVE-2018-25031

CVE-2021-46708

Medium

Does not affect Artifactory, since it only affects com.github.tomakehurst:wiremock-jre8.


CVE-2021-43797

Medium

Does not affect Artifactory, since it only affects io.netty:netty-codec-http.

CVE-2022-1962

CVE-2022-28131

CVE-2022-30633

CVE-2022-30635

Critical

Does not affect Artifactory, since it only affects github.com/golang/go.


CVE-2022-22971

CriticalDoes not affect Artifactory, since it only affects spring-core.  

CVE-2020-36518

High

Does not affect Artifactory, since it only affects fasterxml.jackson.version.

CVE-2020-36518

HighDoes not affect Artifactory, since it only affects jackson-databindf.
CVE-2022-24823Medium

Does not affect Artifactory, since it only affects netty-common.

CVE-2021-3859

High

Does not affect Artifactory, since it only affects Red Hat undertow-core.

CVE-2022-22963

CriticalDoes not affect Artifactory, since it only affects spring-core.

CVE-2021-22119

High

Does not affect Artifactory, since it only affects spring-security-oauth2.

CVE-2022-23632

Critical

Does not affect Artifactory, since it only affects Traefik.

CVE-2022-29153

HighDoes not affect Artifactory, since it only affects consul.

CVE-2022-24769

MediumDoes not affect Artifactory, since it only affects containerd.
CVE-2022-27191HighDoes not affect Artifactory, since it only affects golang.org/x/crypto/ssh.

CVE-2022-23648

HighDoes not affect Artifactory, since it only affects to containerd.

CVE-2022-0536

MediumDoes not affect Artifactory, since it only affects  nodejs clients's axios.

CVE-2021-43797

Medium

Does not affect Artifactory, since it only affects  Netty.

CVE-2021-3807

High

Does not affect Artifactory, since it only affects ansi-regex.

CVE-2022-23806Critical

Does not affect Artifactory, since it only affects  Curve.IsOnCurve in crypto/elliptic in Go.

CVE-2021-41090 
MediumDoes not affect Artifactory, since it only affects docker and image-spec.

CVE-2021-22060

Medium

Does not affect Artifactory, since it only affects org.springframework:spring-core:5.3.12. 

CVE-2021-42550 

Medium

Does not affect Artifactory, since it only affects logback.xml.

CVE-2017-9506MediumDoes not affect Artifactory, since it only affects IconUriServlet of the Atlasssian OAuth Plugin.

CVE-2015-2575

MediumDoes not affect Artifactory, since it only affects mysql:mysql-connector-java:8.0.20.
CVE-2021-42340

HighDoes not affect Artifactory, since it only affects the Apache Tomcat versions:  

9.0.48 and 8.5.73.

CVE-2020-13949HighDoes not affect Artifactory, since it only affects the jaeger 1.6.0 which uses Thrift 0.14.1.

CVE-2021-35560
CVE-2021-35550 
CVE-2021-35556
CVE-2021-35561
CVE-2021-35564
CVE-2021-35565
CVE-2021-35567
CVE-2021-35578
CVE-2021-35586
CVE-2021-35588
CVE-2021-35603

High

Does not affect Artifactory, since it only affects Java.

CVE-2021-36374Medium 

Does not affect Artifactory, since it only affects the Apache ant-1.9.15.

CVE-2021-33037

MediumDoes not affect Artifactory, since it only affects the Apache Tomcat.

CVE-2021-22147

HighDoes not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch.

CVE-2021-22148

HighDoes not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch.

CVE-2021-22149

HighDoes not affect Artifactory, since it only affects the org.elasticsearch:elasticsearch.

CVE-2021-30129

HighDoes not affect Artifactory, since it only affects the org.apache.sshd:sshd-core:2.6.0.
CVE-2017-18640HighDoes not affect Artifactory, since it only affects the Snakeyaml 1.23 XML Entity Expansion.

CVE-2021-27568

CriticalDoes not affect Artifactory, since it only affects the json-smart-1.3.1.
CVE-2021-27568CriticalDoes not affect Artifactory, since it only affects the json-smart-1.3.1.

CVE-2021-26291

Normal

Does not affect Artifactory, since it only affects the Maven version 3.8.1.

CVE-2021-13936

High

Does not affect Artifactory, since it only affects the Apache Velocity engine.

CVE-2018-9116Critical Does not affect Artifactory, since it only affects wiremock.
Critical

Does not affect Artifactory, since it only affects XStream.

CVE-2021-26291

High

Does not affect Artifactory, since it only affects Apache Maven.

CVE-2021-21290

MediumDoes not affect Artifactory, since it only affects netty-codec-http:4.1.53.final.

CVE-2020-17521

MediumDoes not affect Artifactory, since it only affects org.codehaus.groovy:groovy-all.
HighDoes not affect Artifactory, since it only affects Spring Security Web.
CVE-2019-17571
MediumDoes not affect Artifactory, since it only affects log4j-to-slf4j and log4j-api.
High

Does not affect Artifactory, since it only affects hazelcast-3.6.1.jar 

Medium

Does not affect Artifactory, since it only affectsOrg.eclipse.jetty:jetty-http

High

Does not affect Artifactory, since it only affects Plexus-utils.

High

Does not affect Artifactory, since it only affects fasterxml.jackson.version.

High
Does not affect Artifactory, since it only affects bcprov-jdk15.
HighDoes not affect Artifactory, since it only affects at cryptacular-1.1.1.jar.
CVE-2020-7692CriticalDoes not affect Artifactory, since it only affects google-oauth-client library.
MediumDoes not affect Artifactory, since it only affects Commons-compress library.
MediumDoes not affect Artifactory, since it only affects Commons-compress library.
HighDoes not affect Artifactory, since it only affects Go 1.14.9. 
HighDoes not affect Artifactory, since it only affects Crowd lib.
High

Does not affect Artifactory, since it only affects XStream.

High

Does not affect Artifactory, since it only affects XStream.

Critical

Does not affect Artifactory, since it only affects XStream.

CVE-2020-8203

HighDoes not affect Artifactory, since it only affects lodash.
CVE-2020-1745CriticalDoes not affect Artifactory, since it only affects io.undertow:undertow-core / 2.0.15.Final.
CVE-2017-15095CriticalDoes not affect Artifactory, since it only affects fge:jackson-coreutils:jar
CVE-2017-17485CriticalDoes not affect Artifactory, since it only affects fge:jackson-coreutils:jar.
CVE-2017-7525CriticalDoes not affect Artifactory, since it only affects fge:jackson-coreutils:jar.
CVE-2020-13935HighDoes not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-13934

HighDoes not affect Artifactory, since it only affects Apache Tomcat.
CVE-2020-11996HighDoes not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-28500

CVE-2020-8203

CVE-2021-23337

CriticalDoes not affect Artifactory, since it only affects npm lodash library 
 CVE-2022-30591 HighJFrog Artifactory is not affected, since it does not use the quic-go through 0.27.0.
CVE-2022-42889Critical

JFrog Platform is not affected, since it does not use the impacted packages.

CVE-2016-1000027 CriticalDoes not affect Artifactory, since it does not use the impacted HttpInvokerServiceExporter component for providing remote access.
CVE-2022-34305MediumDoes not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2022-29885HighDoes not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2018-10892HighDoes not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.
CVE-2020-0187MediumDoes not affect Artifactory, since it only affects the Android Platform.
CVE-2020-0187MediumDoes not affect Artifactory, since it only affects the Android Platform.
N/AMediumDoes not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.
N/AMediumDoes not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender}}
CVE-2017-7536HighDoes not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator.
CVE-2020-9484HighDoes not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use. 
CVE-2019-11888HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-14809HighThis CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version. 
CVE-2019-0232HighThe enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014HighThe JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275HighThe JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability

CVE-2018-8589

MediumJFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776HighDoes not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924HighDoes not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382HighDoes not affect Artifactory, since JFrog does not use BKS-V1 keystore.
CVE-2018-1260HighDoes not affect Artifactory, since JFrog does not use Spring Security Oauth.
CVE-2018-1259HighDoes not affect Artifactory, since JFrog does not use Spring Data Commons.
CVE-2017-5664High
Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648Critical
Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647HighDoes not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638CriticalArtifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097HighFor LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.
CVE-2008-4108HighDoes not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541HighDoes not affect Artifactory, since Artifactory uses Tar 1.30.1.

Insight

CVEs Impacting Insight

The following is a list of CVEs that were discovered to impact Insight and were fixed.

CVESeverity

Insight Fix Version

Fix Description
CVE-2022-31692Critical1.13

Upgraded spring-security-web to version 5.7.5.

Upgraded spring-bootcore to version 2.7.5.

CVE-2022-23181High1.7.0tomcat-embed-core, has been upgraded to version 9.0.58.
CVE-2021-22060Medium1.6.0Upgraded spring-web to version 5.3.14.
CVE-2021-42550Medium1.5.0Upgraded logback version to 1.2.9.
CVE-2021-22096Medium1.4.0Upgraded spring-web to version 5.3.12.

CVEs Not Impacting Insight

CVESeverityReason
CVE-2019-13990HighUpgraded quartz-scheduler to version 2.3.2.
CVE-2022-25857HighSnakeYAML has been upgraded from version 1.30 to version 1.31.
CVE-2022-31197HighPostgreSQL JDBC Driver (pgjdbc) has been upgraded from version 42.3.3 to version 42.4.1
CVE-2022-23708MediumElasticsearch has been upgraded from version 7.16.3 to version 7.17.1.
CVE-2021-31684HighUpgraded json-smart to version 1.3.3.
CVE-2021-21290MediumUpgraded netty-codec-http:4.1.53.final to 4.1.59.Final.
CVE-2022-22970Mediumspring-bootcore, has been upgraded from version 2.6.7 to version 2.7.0.
CVE-2022-22968Highspring-bootcore, has been upgraded from version 2.6.6 to version 2.6.7.
CVE-2020-36518Highjackson-databind, has been upgraded to version 2.13.2.1.
CVE-2022-22965Criticalsprint-bootcore, has been upgraded from version 2.6.2 to version 2.6.6.
CVE-2022-21724Criticalpgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-22569HighThe protobuf-java component has been upgraded to version 3.19.2.
CVE-2020-25649HighSearchguard TLS Tool that uses the library is only used locally by system administrators for generating TLS certificates during an installation. Thus, it only runs on trusted data and can thus be not affected by this vulnerability.

Distribution

CVEs Not Impacting Distribution

The following is a list of CVEs that do not impact Distribution.

CVESeverityReason
CVE-2022-22978HighUpgraded spring-security-web to version 5.7.0.
CVE-2022-22968MediumUpgraded spring-context to version 5.3.21.
CVE-2022-22970MediumUpgraded spring-beans to version 5.3.21.
CVE-2021-21309Critical

Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.

CVE-2022-24785HighMoment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
CVE-2022-21724Mediumpgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.
CVE-2021-42550 MediumUpgraded the logback.xml to version 1.2.9.
CVE-2022-24823MediumDoes not affect Distribution, since the vulnerability only impacts applications running on Java version 6 and lower.

Mission Control

CVEs Not Impacting Mission Control

CVESeverityReason
CVE-2021-37136High4.7.15
CVE-2021-22149HighUpgraded Elasticsearch to 7.14.0.
CVE-2021-22148HighUpgraded Elasticsearch to 7.14.0.
CVE-2021-22147MediumUpgraded Elasticsearch to 7.14.0.
CVE-2021-31684HighUpgraded Apache HttpClient to version 4.5.13.
CVE-2021-22112HighUpgraded spring-security-web to version 5.4.4.
CVE-2020-13956MediumUpgraded json-smart to version 2.4.7.
CVE-2021-35517HighUpgraded common-compress to version 1.2.1.
CVE-2021-27568Critical Upgraded json-smart to version 2.4.7.
CVE-2020-28052HighUpgraded bc-java to version 1.6.7.
CVE-2020-8908 LowDoes not affect Mission Control, since JFrog does not use the com.google.common.io.Files.createTempDir() function.

Vulnerabilities Without a CVE Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE that impacted Mission Control and have been fixed. 

Fix DescriptionSeverityMission Control Fix Version
Updated netty-codec to version 4.1.66.Final.Critical4.7.11

Vulnerabilities Without a CVE Not Impacting Mission Control

The following is a list of vulnerabilities that do not have a CVE and that do not impact Mission Control.

Fix DescriptionSeverityMission Control Fix Version

Flyway insecure logging local password disclosure (org.flywaydb:flyway-core / 4.2.0)

High"Not Affected" 3rd party package: The default log level is set to WARN.

Pipelines

CVEs Impacting Pipelines

CVESeverityPipelines Fix VersionReason
CVE-2022-24921High1.27.0User can cause stack exhaustion using jfrog cli in a step, but this would merely lead to a step failing. 
CVE-2022-30634High1.27.0Jfrog cli prevents a max buffer from being passed by the user.
CVE-2022-0235Medium1.24.0Removed node-fetch dependency.

CVEs Not Impacting Pipelines

The following is a list of CVEs that do not impact Pipelines.

CVESeverityReason

CVE-2022-32212

HighUpgraded Node.js to version 16.16.0.
CVE-2022-32213CriticalUpgraded Node.js to version 16.16.0.
CVE-2022-32214CriticalUpgraded Node.js to version 16.16.0.
CVE-2022-32215CriticalUpgraded Node.js to version 16.16.0.
CVE-2022-32223HighUpgraded Node.js to version 16.16.0.
CVE-2021-23343High

Does not affect Pipelines, since path-parse is not used by Pipelines.

CVE-2021-3918Critical

Does not affect Pipelines. Though the vulnerable library json-schema is a sub-dependency of request@ 2.88.2, the vulnerable function validate is not called from request.

CVE-2021-23358High

Does not affect Pipelines, since underscore@1.4.4 is a submodule of ssh-keygen and Pipelines is not calling the vulnerable template function.

CVE-2022-25648HighDoes not impact Pipelines as core services control what commands are passed in to the git command.

Vulnerabilities Without a CVE Not Impacting Pipelines

The following is a list of vulnerabilities that do not have a CVE and that do not impact Pipelines

DescriptionSeverityPipelines Fix VersionReason

Preventing remove-markdown RedDos

Medium1.23.2

RedDos vulnerable code will run with a timeout.

Prototype pollution flaw in clean-css 4.2.4

High1.20.2

Does not affect Pipelines, since clean-css@4.2.4 is submodule of mjml and Pipelines is not calling the vulnerable template function.

Prototype pollution flaw in node-forge 0.10.0 Critical
Does not affect Pipelines, since Pipelines and win-ca does not call the vulnerable debug function.


Frontend

Vulnerabilities Without a CVE Not Impacting Frontend

The following is a list of vulnerabilities that do not have a CVE and that do not impact Frontend

DescriptionSeverityReason
Prototype pollution flaw in node-forge 0.10.0 CriticalDoes not affect Frontend, since Frontend and selfsigned does not call the vulnerable debug function.

Xray

CVEs Impacting Xray

The following is a list of CVEs that were discovered to impact Xray and were fixed.

CVESeverity

Xray Fix Version

Fix Description
CVE-2022-31030Medium3.60.2Upgraded github.com/containerd/containerd version to 1.5.13.
CVE-2022-28948High3.60.2Upgraded gopkg.in/yaml.v3:3.0.0-20200313102051 version to gopkg.in/yaml.v3:3.0.1.
CVE-2022-27664High

3.60.2

3.61.5

Upgraded golang.org/x/net v0.0.0-20220722155237 to golang.org/x/net version 0.1.0
Upgraded golang.org/x/sys v0.0.0-20220722155237 to golang.org/x/sys v0.1.0
Upgraded golang.org/x/net v0.3.7  to golang.org/x/text v0.4.0.
CVE-2022-32149High3.60.2Upgraded from 0.3.7 to 0.3.8.
CVE-2022-32189High3.59.4Upgraded Golang version to 1.18.5.
CVE-2021-38197Critical3.57.6Upgraded go-unarr library to version v0.1.4.
CVE-2022-29526Medium3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30634High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30632High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30630High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-30631High3.55.2Upgraded Golang version to 1.18.4.
CVE-2022-24769Medium3.54.5Upgraded Containerd version to 1.5.11.
CVE-2022-29526Medium3.54.5Upgraded to Golang version to 1.17.11.
CVE-2022-23806Critical3.50.3Upgraded JFrog router version to 7.39.0.
CVE-2022-27191High3.49.0Upgraded golang.org/x/crypto to v0.0.0-20220314234659-1baeb1ce4c0.

CVE-2022-24675

High3.48.2Upgraded Golang version to 1.17.9.
CVE-2022-24921High3.48.2Upgraded Golang version to 1.17.9.

CVE-2021-43816

Critical3.42.3Upgraded Containerd version to 1.5.9.
CVE-2021-44717Medium3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-44716High 3.41.4Upgraded Golang version to 1.17.5.
CVE-2021-41771High3.38.1Upgraded Golang version to 1.17.3.
CVE-2021-33196High3.34.1Upgraded Golang version to 1.15.13, 1.16.5.

Xray

CVEs Not Impacting Xray

The following is a list of CVEs that do not impact Xray.

CVESeverity

Xray Fix Version

Fix Description
CVE-2021-38197Critical3.57.6Upgraded go-unarr library to version v0.1.4.
  • No labels
Copyright © 2022 JFrog Ltd.