CVEs Not Impacting Artifactory

The following is a list of CVEs that do not impact Artifactory.

CVE	Severity	Artifactory Fix Version	Reason
CVE-2023-31484	High	7.111.4	Does not affect Artifactory, since it only affects `Postgres`.
CVE-2025-22871	Medium		Artifactory is not affected because the vulnerable function ListenAndServe is never called.
CVE-2025-24813	Medium	7.110.1	Artifactory is not affected as it does not enable the Default Servlet.
CVE-2024-21208 CVE-2024-21210 CVE-2024-21211 CVE-2024-21217 CVE-2024-21235	Medium		Affected flow which includes loading data from external sources on runtime such as such as Java Applets or Web Start are not used in JFrog products.
CVE-2024-54677	Medium		Affected system property sun.io.useCanonCachesis needs to be set to true for Artifactory to be affected. The value of this property is set to false by default and not changed by JFrog.
CVE-2024-56337	High		Default servlet does not have a param-name named readonly set to false, which would be required for Artifactory to be affected.
CVE-2024-50379	High		Webapps/examples is not part of Artifactory deployment.
CVE-2021-38297 CVE-2022-23806 CVE-2023-24538 CVE-2023-24540 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405 CVE-2024-24790 CVE-2025-21613	Critical	7.104.2	The Evidence service, which was not yet available to users, contained Go language vulnerabilities in the 7.98 release.
CVE-2023-23914 CVE-2021-27645 CVE-2021-33574	Normal / High	7.102.0	CVE exists in the Docker image and doesn't affect Artifactory.
CVE-2023-39332	Critical	7.102.0	Flag required to leverage vulnerability (--experimental-permission) is not used the JFrog Platform.
CVE-2024-3651	High	7.102.0	Does not affect Artifactory, since it only affects `Postgres`.
CVE-2024-52318	Medium	7.98.10	Does not affect Artifactory because as JakartaServer Pages is not used.
CVE-2024-52316	High	7.98.10	Does not affect Artifactory as the vulnerable components including Jakarta Authentication or any ServerAuthContext components are not used in its its authentication flow.
CVE-2024-47554	High	7.99.1	Does not affect Artifactory as the vulnerable `commons` functionality is not in use.
CVE-2023-39325 CVE-2023-5156 CVE-2023-29409 CVE-2023-27536	Medium / High	7.99.1	CVE exists in the Docker image and doesn't affect Artifactory.
CVE-2024-45410	Medium	7.90.13	The component using this functionality already forward those HTTP headers by design, hence this vulnerability didn't introduce any new behavior.
CVE-2021-28168 CVE-2020-36518 CVE-2021-46877 CVE-2022-2048 CVE-2022-42003 CVE-2022-42004 CVE-2023-36478 CVE-2023-44487	High	7.95.0	Does not affect Artifactory as the vulnerable functionality is not in use.
CVE-2024-39321	High	7.92.0	Does not affect Artifactory is as it doesn't make use of the traefik IP filtering feature.
CVE-2023-44487	Critical	7.90.5	Does not affect Artifactory as it only affects `libnghttp`
CVE-2023-29402	Critical	7.90.5	Does not affect Artifactory as it only affects `golang`
CVE-2023-4016	High	7.90.5	Does not affect Artifactory as it only affects `go-pkgs`
CVE-2023-32665	High	7.90.5	Does not affect Artifactory as it only affects `gLib`
CVE-2023-32611	High	7.90.5	Does not affect Artifactory as it only affects `gLib`
CVE-2023-29499	High	7.90.5	Does not affect Artifactory as it only affects `gLib`
CVE-2023-29469	High	7.90.5	Does not affect Artifactory as it only affects `libxml2`
CVE-2023-2602	High	7.90.5	Does not affect Artifactory as it only affects `libxml2`
CVE-2021-38561	High	7.90.5	Does not affect Artifactory as it only affects `golang`
CVE-2020-7919	High	7.90.5	Does not affect Artifactory as it only affects `golang`
CVE-2019-11254	High	7.90.5	Does not affect Artifactory as it only affects `gopkg`
CVE-2018-1099	High	7.90.5	Does not affect Artifactory as it only affects `gopkg`
CVE-2023-39325	High	7.90.5	Does not affect Artifactory as it only affects `golang`
CVE-2023-24539	High	7.90.5	Does not affect Artifactory as it only affects `golang`
CVE-2023-29400	High	7.90.5	Does not affect Artifactory as it only affects `golang`
CVE-2024-34750	High	7.91.1	Does not impact Artifactory, as Artifactory does not use the vulnerable `Apache Tomcat` configuration.
CVE-2024-29857	Medium	N/A	Does not affect Artifactory, as Artifactory does not use the `Bouncy Castle Java` project in a vulnerable way.
CVE-2020-1712	High	7.86.0	The CVE is present only in the docker image and does not affect Artifactory.
CVE-2024-1459	High	7.86.0	Does not affect Artifactory, as it only affects `undertow-core`.
CVE-2024-28849	Medium	7.86.0	Does not affect Artifactory, as it only affects `Axios`.
CVE-2022-1471	Critical	7.84.3	Does not affect Artifactory, as the Artifactory usage of `snakeyaml` is not exploitable.
CVE-2024-26308	High	7.83.1	Upgraded `Apache commons` to version 9.0.87.
CVE-2023-4586	High	7.81.1	Does not affect Artifactory, as it only affects `netty-handler`.
CVE-2023-2976	Medium	7.81.1	Does not affect Artifactory, as it only affects `guava`.
CVE-2024-21626	High	7.80.0	Does not affect Artifactory, as it only affects `runc`.
CVE-2023-39325 CVE-2023-44487	High	7.79.2	Does not affect Artifactory, as it only affects `golang`.
CVE-2023-24539 CVE-2023-29400	High	7.79.2	Does not affect Artifactory, as it only affects `golang`.
CVE-2023-39323	Critical	7.76.0	Does not affect Artifactory, as it only affects `golang`.
CVE-2023-6378	High	7.76.0	Does not affect Artifactory, as it only affects `logback-classic`.
CVE-2023-44487	High	7.76.0	Does not affect Artifactory, as it only affects `golang`.
CVE-2023-45857	Medium	7.75.0	Does not affect Artifactory, as in the location where a vulnerable version of the `Axios` package is used, the vulnerability relates to a cookie but the communication is server-to-server (which doesn't use cookies).
CVE-2023-39325	High	7.71.5	Does not affect Artifactory, as it only affects `go`.
CVE-2023-24540	Critical	7.71.2	Does not affect Artifactory, as it only affects `go`.
CVE-2023-4759	High	7.71.2	Does not affect Artifactory, as it only affects `jgit`.
CVE-2023-2253	High	7.71.2	Does not affect Artifactory, as it only affects `distribution`.
CVE-2023-24540	Critical	7.70.2	Does not affect Artifactory, as it only affects `Golang`.
CVE-2023-41080	High	7.68.11	Does not affect Artifactory, as it only affects `Apache Tomcat`.
CVE-2023-29403	High	7.68.6	Does not affect Artifactory, since it only affects `yq`.
CVE-2022-4450 CVE-2023-0215	High	7.68.6	Does not affect Artifactory, since it only affects `openssl-libs`.
CVE-2023-34035	High	7.68.6	Does not affect Artifactory, since it only affects `spring-security-config`.
CVE-2023-2976	Medium	7.68.6	Does not affect Artifactory, since it only affects `guava`.
CVE-2023-26136	Critical	7.66.3	Does not affect Artifactory, since it only affects `tough-cookie`.
CVE-2023-29404	Critical	7.66.3	Does not affect Artifactory, since it only affects `golang`.
CVE-2023-2976	High	7.66.3	Does not affect Artifactory, since it only affects `guava`.
CVE-2023-35116	High	7.66.3	Does not affect Artifactory, since it only affects `jackson-databind`.
CVE-2023-32731 CVE-2023-1428 CVE-2023-32732	High	7.66.3	Does not affect Artifactory, since it only affects `grpc`.
CVE-2023-26115	Medium	7.66.3	Does not affect Artifactory, since it only affects `word-wrap`.
CVE-2022-25883	Medium	7.66.3	Does not affect Artifactory, since it only affects `semver`.
CVE-2023-24539	Medium	7.66.3	Does not affect Artifactory, since it only affects `go`.
CVE-2023-29401	Medium	7.66.3	Does not affect Artifactory, since it only affects `gin-gonic`.
CVE-2023-29404	Critical	7.65.3	Does not affect Artifactory, since it only affects `golang`.
CVE-2016-2510	High	7.65.3	Does not affect Artifactory, since it only affects `beanshell`.
CVE-2023-26048	Medium	7.65.3	Does not affect Artifactory, since it only affects `jetty-server`.
CVE-2023-1732	Medium	7.65.3	Does not affect Artifactory, since it only affects `circl`.
CVE-2023-34462	Medium	7.65.3	Does not affect Artifactory, since it only affects `netty-handler`.
CVE-2023-2976	Medium	7.65.3	Does not affect Artifactory, since it only affects `guava`.
CVE-2022-25883	Medium	7.65.3	Does not affect Artifactory, since it only affects `semver`.
CVE-2023-29404	Critical	7.64.4	Does not impact Artifactory, since it only affects `golang`.
CVE-2023-29400	High	7.64.4	Does not impact Artifactory, since it only affects `golang`.
CVE-2023-1732	Medium	7.64.4	Does not impact Artifactory, since it only affects `circl`.
CVE-2023-2976	Medium	7.64.4	Does not impact Artifactory, since it only affects `guava`.
CVE-2022-25883	Medium	7.64.4	Does not impact Artifactory, since it only affects `semver`.
CVE-2023-28709	High	7.63.5	Does not affect Artifactory, since it only impacts `Apache Tomcat`.
CVE-2023-20863	High	7.61.3	Does not affect Artifactory, since it only impacts `spring-core`.
CVE-2022-41722	High	7.61.3	Does not affect Artifactory, since it only impacts `golangci-lint`.
CVE-2023-27561	High	7.61.3	Does not affect Artifactory, since it only impacts `runc`.
CVE-2023-0286	High	7.61.3	Does not affect Artifactory, since it only impacts `openssl-libs`.
CVE-2022-25857 CVE-2022-41854	High	7.61.3	Does not affect Artifactory, since it only impacts `snakeyaml`.
CVE-2023-28708	High	7.61.3	Does not affect Artifactory, since it only impacts `apache tomcat`.
CVE-2023-28642 CVE-2023-25809	Medium	7.61.3	Does not affect Artifactory, since it only impacts `runc`.
CVE-2023-28842 CVE-2023-28840	Medium	7.61.3	Does not affect Artifactory, since it only impacts `docker`.
CVE-2023-26125	Medium	7.61.3	Does not affect Artifactory, since it only impacts `gin-gonic`.
CVE-2023-0845	Medium	7.61.3	Does not affect Artifactory, since it only impacts `hashicorp`.
CVE-2023-1370	High	7.59.5	Does not affect Artifactory, since it only affects `json-smart`.
CVE-2022-41722 CVE-2022-41725 CVE-2022-41724	High	7.59.5	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-41723	High	7.59.5	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-25857	High	7.58.5	Doesn't impact Artifactory, since it only affects `SnakeYAML`.
CVE-2022-41723	High	7.58.1	Doesn't impact Artifactory, since it only affects `Golang`.
CVE-2022-43551	High	7.58.1	Doesn't impact Artifactory, since it only affects `curl`.
CVE-2022-41717	Medium	7.58.1	Doesn't impact Artifactory, since it only affects `yq`.
CVE-2022-41722	High	7.58.0	Doesn't affect Artifactory, since it only affects `Golang`.
CVE-2022-41720	High	7.58.0	Doesn't affect Artifactory, since it only affects `Golang`.
CVE-2022-41716	High	7.58.0	Doesn't affect Artifactory, since it only affects `Golang`.
CVE-2022-2526	High	7.58.0	Doesn't affect Artifactory, since it only affects `systemd-libs`.
CVE-2017-1000487	Critical	7.57.1	Does not affect Artifactory, since it only affects `plexus-utils`.
CVE-2023-25173	Medium	7.57.1	Does not affect Artifactory, since it only affects `containerd`.
CVE-2022-41716	High	7.56.2	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-38900	High	7.56.2	Does not affect Artifactory, since it only affects `decode-uri-components`.
CVE-2022-41720	High	7.56.2	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-23471	Medium	7.56.2	Does not affect Artifactory, since it only affects `containerd`.
CVE-2022-45143	High	7.55.1	Does not affect Artifactory, since it only affects `Apache Tomcat`.
CVE-2022-42916	High	7.55.1	Does not affect Artifactory, since it only affects `curl`.
CVE-2022-27664	High	7.55.1	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-41716 CVE-2022-41715 CVE-2022-2880 CVE-2022-2879	High	7.55.1	Does not affect Artifactory, since it only affects `Go`.
CVE-2022-42004	High	7.55.1	Does not affect Artifactory, since it only affects `jackson-databind`.
CVE-2022-42003	High	7.55.1	Does not affect Artifactory, since it only affects `jackson-databind`.
CVE-2022-25857	High	7.55.1	Does not affect Artifactory, since it only affects `SnakeYAML`.
CVE-2022-3171	High	7.55.1	Does not affect Artifactory, since it only affects `protobuf-java`.
CVE-2022-41720	High	7.55.1	Does not affect Artifactory, since it only affects `Go`.
CVE-2022-46175	High	7.55.1	Does not affect Artifactory, since it only affects `JSON5`.
CVE-2021-26291	Critical	7.53.1	Does not affect Artifactory, since it only affects `Apache Maven`.
CVE-2022-42898	High	7.53.1	Does not affect Artifactory, since it only affects `krb5-libs`.
CVE-2022-32149	High	7.53.1	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-23539 CVE-2022-23529	High	7.53.1	Does not affect Artifactory, since it only affects `jsonwebtoken`.
CVE-2022-4065	High	7.53.1	Does not affect Artifactory, since it only affects `testng`.
CVE-2022-41716	High	7.53.1	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-27664	High	7.53.1	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-31030	Medium	7.53.1	Does not affect Artifactory, since it only affects `Containerd`.
CVE-2022-41854	Medium	7.53.1	Does not affect Artifactory, since it only affects `SnakeYAML`.
CVE-2022-45047	Critical	7.52.0	Does not affect Artifactory, since it only affects `Apache MINA SSHD`.
CVE-2022-25857 CVE-2022-1471	High	7.52.0	Does not affect Artifactory, since it only affects `SnakeYAML`.
CVE-2022-1552	High	7.52.0	Does not affect Artifactory, since it only affects `Postgres`.
CVE-2022-27664	High	7.52.0	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-41720	High	7.52.0	Does not affect Artifactory, since it only affects `Golang`.
CVE-2022-28948	High	7.52.0	Does not affect Artifactory, since it only affects `Go-yaml`.
CVE-2021-33194	High	7.52.0	Does not affect Artifactory, since it only affects `golang.org/x/net`.
CVE-2022-39271 GHSA-c6hx-pjc3-7fqr	High	7.52.0	Does not affect Artifactory, since it only affects `traefik`.
CVE-2022-31159	High	7.52.0	Does not affect Artifactory, since it only affects `aws-java-sdk`.
CVE-2022-40716	Medium	7.52.0	Does not affect Artifactory, since it only affects `hashicorp`.
CVE-2022-41915	Medium	7.52.0	Does not affect Artifactory, since it only affects `Netty`.
CVE-2022-38749	Medium	7.52.0	Does not affect Artifactory, since it only affects `SnakeYAML` and `common`.
CVE-2022-32190	Critical	7.50.3	Does not affect Artifactory, since it only affects `Go`
CVE-2022-37866	High	7.50.3	Doesn't affect Artifactory, since it only affects `org.apache.ivy:ivy`.
CVE-2022-31197	High	7.50.3	Doesn't affect Artifactory, since it only affects `org.postgresql:postgresql`.
CVE-2016-5425 CVE-2016-6325	High	7.50.3	Doesn't affect Artifactory, since it only affects `tomcat-jdbc`.
CVE-2022-42003 CVE-2022-42004	High	7.49.3	Doesn't affect Artifactory, since it only affects `java commons`.
CVE-2022-25857	High	7.49.3	Does not affect Artifactory, since it only affects Upgraded `snakeyaml`
CVE-2022-40151	High	7.49.3	Does not affect Artifactory, since it only affects `woodstox-core`
CVE-2022-32149	High	7.49.3	Does not affect Artifactory, since it only affects `golang`
CVE-2022-27664	High	7.49.3	Does not affect Artifactory, since it only affects `Go`
GHSA-3mc7-4q67-w48m GHSA-98wm-3w3q-mw94 GHSA-9w3m-gqgf-c4p9 GHSA-c4r9-r8fh-9vj2 GHSA-hhhw-99gj-p3c3	High	7.49.3	Does not affect Artifactory, since it only affects `snakeyaml`
CVE-2022-3171	High	7.49.3	Does not affect Artifactory, since it only affects `protobuf-java`
CVE-2022-42003 CVE-2022-42004 GHSA-jjjh-jjxp-wpff GHSA-rgv9-q543-rqg4	High	7.49.3	Does not affect Artifactory, since it only affects `jackson-databind`
CVE-2022-29526	Medium	7.49.3	Does not affect Artifactory, since it only affects `yq`
CVE-2022-3171	Medium	7.49.3	Does not affect Artifactory, since it only affects `io.grpc::grpc-*`
CVE-2022-36033	Medium	7.49.3	Does not affect Artifactory, since it only affects `jsoup`
CVE-2022-38752	Medium	7.49.3	Does not affect Artifactory, since it only affects `commons`
CVE-2022-1348	Medium	7.49.3	Does not affect Artifactory, since it only affects `logrotate`
CVE-2019-20444 CVE-2019-20445 CVE-2019-16869	Critical	7.47.7	Does not affect Artifactory, since it only affects`software.amazon.awssdk:licensemanager`.
CVE-2021-26291	Critical	7.47.7	Does not affect Artifactory, since it only affects `org.apache.maven.maven-project`.
CVE-2022-1962 CVE-2022-28131 CVE-2022-30633 CVE-2022-30635	Critical	7.47.7	Does not affect Artifactory, since it only affects `snakeyaml`.
CVE-2021-44906	High	7.47.7	Does not affect Artifactory, since it only affects `grpc-tools`.
CVE-2021-3807	High	7.47.7	Does not affect Artifactory, since it only affects `grpc-tools and` `grpc_tools_node_protoc_ts`.
CVE-2022-25857	High	7.47.7	Does not affect Artifactory, since it only affects `snakeyaml`.
CVE-2022-22970	High	7.46.3	Does not affect Artifactory, since it only affects `org.springframework:spring-beans`.
CVE-2022-24823	Medium	7.47.7	Does not affect Artifactory, since it only affects `io.netty`.
CVE-2020-7789	Medium	7.47.7	Does not affect Artifactory, since it only affects `grpc-tools and` `grpc_tools_node_protoc_ts`.
CVE-2022-0235	Medium	7.47.7	Does not affect Artifactory, since it only affects `grpc-tools` and `grpc_tools_node_protoc_ts`.
CVE-2022-30187	Medium	7.47.7	Does not affect Artifactory, since it only affects`azure-storage-blob` `andv azure-core-http-okhttp`.
CVE-2020-7608	Medium	7.47.7	Does not affect Artifactory, since it only affects grpc-tools and `grpc_tools_node_protoc_ts`.
CVE-2022-25878	Medium	7.47.7	`Does not affect Artifactory, since it only affects grpc-tools` and `grpc_tools_node_protoc_ts`.
CVE-2022-27191	Medium	7.47.7	Does not affect Artifactory, since it only affects `grpc-tools` and `http://grpc_tools_node_protoc_ts.golang.org/x/crypt`.
CVE-2022-27191	Medium	7.46.3	Does not affect Artifactory, since it only affects `golang.org/x/crypto/ssh` .
CVE-2022-31030	Medium	7.46.3	Does not affect Artifactory, since it only affects `containerd.`
CVE-2022-22968	Medium	7.46.3	Does not affect Artifactory, since it only affects `org.springframework:spring-context.`
CVE-2022-31197	Medium	7.46.3	Does not affect Artifactory, since it only affects `org.postgresql:postgresql.`
CVE-2021-37136 CVE-2021-37137	Critical	7.46.3	Does not affect Artifactory, since it only affects `io.netty:netty-codec:4.1.63.`
CVE-2020-36518	High	7.46.3	Does not affect Artifactory, since it only affects `jackson-databind.`
CVE-2022-22963	Critical	7.46.3	Does not affect Artifactory, since it only affects `spring-core`5.3.18.
CVE-2022-2048	High	7.46.3	Does not affect Artifactory, since it only affects `org.eclipse.jetty.`
CVE-2022-31159	High	7.46.3	Does not affect Artifactory, since it only affects `aws-java-sdk.`
CVE-2021-3807	High	7.46.3	Does not affect Artifactory, since it only affects `jest-junit`and`ansi-regex.`
CVE-2020-28469	High	7.46.3	Does not affect Artifactory, since it only affects `glob-parent.`
CVE-2021-20066	Medium	7.46.3	Does not affect Artifactory, since it only affects `jest.`
CVE-2022-0235	Medium	7.46.3	Does not affect Artifactory, since it only affects `grpc-tools.`
CVE-2020-7608	Medium	7.46.3	Does not affect Artifactory, since it only affects `yargs` and `yargs-parser.`
CVE-2022-22950	Medium	7.46.3	Does not affect Artifactory, since it only affects `org.springframework:spring-expression`.
CVE-2021-22096 CVE-2021-22060	Medium	7.46.3	Does not affect Artifactory, since it only affects `org.spring framework:spring-core.`
CVE-2022-24823	Medium	7.46.3	Does not affect Artifactory, since it only affectsio.netty:netty-common.
CVE-2018-25031 CVE-2021-46708	Medium	7.46.3	Does not affect Artifactory, since it only affects `com.github.tomakehurst:wiremock-jre8.`
CVE-2021-43797	Medium	7.46.3	Does not affect Artifactory, since it only affects `io.netty:netty-codec-http.`
CVE-2022-1962 CVE-2022-28131 CVE-2022-30633 CVE-2022-30635	Critical	7.46.3	Does not affect Artifactory, since it only affects `github.com/golang/go.`
CVE-2022-22971	Critical	7.42.1	Does not affect Artifactory, since it only affects `spring-core.`
CVE-2020-36518	High	7.42.1	Does not affect Artifactory, since it only affects `fasterxml.jackson.version.`
CVE-2020-36518	High	7.41.4	Does not affect Artifactory, since it only affects `jackson-databind.`
CVE-2022-24823	Medium	7.41.4	Does not affect Artifactory, since it only affects `netty-common.`
CVE-2021-3859	High	7.41.4	Does not affect Artifactory, since it only affects `Red Hat` `undertow-core.`
CVE-2022-22963	Critical	7.41.4	Does not affect Artifactory, since it only affects`spring-core.`
CVE-2021-22119	High	7.41.4	Does not affect Artifactory, since it only affects`spring-security-oauth2.`
CVE-2022-23632	Critical	7.39.4	Does not affect Artifactory, since it only affects`Traefik.`
CVE-2022-29153	High	7.39.4	Does not affect Artifactory, since it only affects `consul.`
CVE-2022-24769	Medium	7.39.4	Does not affect Artifactory, since it only affects`containerd.`
CVE-2022-27191	High	7.39.4	Does not affect Artifactory, since it only affects`golang.org/x/crypto/ssh.`
CVE-2022-23648	High	7.39.4	Does not affect Artifactory, since it only affects to `containerd.`
CVE-2022-0536	Medium	7.39.4	Does not affect Artifactory, since it only affects `nodejs` clients's `axios.`
CVE-2021-43797	Medium	7.37.13	Does not affect Artifactory, since it only affects `Netty.`
CVE-2021-3807	High	7.37.13	Does not affect Artifactory, since it only affects `ansi-regex.`
CVE-2022-23806	Critical	7.37.13	Does not affect Artifactory, since it only affects `Curve.IsOnCurve in crypto/elliptic in Go.`
CVE-2021-41090	Medium	7.35.1	Does not affect Artifactory, since it only affects`docker and` `image-spec.`
CVE-2021-22060	Medium	7.34.4	Does not affect Artifactory, since it only affects org.springframework:spring-core:5.3.12.
CVE-2021-42550	Medium	7.31.10	Does not affect Artifactory, since it only affects `logback.xml.`
CVE-2017-9506	Medium	7.31.10	Does not affect Artifactory, since it only affects `IconUriServlet of the Atlasssian OAuth Plugin.`
CVE-2015-2575	Medium	7.31.10	Does not affect Artifactory, since it only affects mysql:mysql-connector-java:8.0.20.
CVE-2021-42340	High	7.31.10	Does not affect Artifactory, since it only affects the Apache Tomcat versions: 9.0.48 and 8.5.73.
CVE-2020-13949	High	7.31.10	Does not affect Artifactory, since it only affects the `jaege`r 1.6.0 which uses `Thrift` 0.14.1.
CVE-2021-35560 CVE-2021-35550 CVE-2021-35556 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603	High	7.31.10	Does not affect Artifactory, since they only affect Java.
CVE-2021-36374	Medium	7.31.10	Does not affect Artifactory, since it only affects the`Apache ant-1.9.15.`
CVE-2021-33037	Medium	7.27.3	Does not affect Artifactory, since it only affects the Apache Tomcat.
CVE-2021-22147	High	7.27.3	Does not affect Artifactory, since it only affects the`org.elasticsearch:elasticsearch`.
CVE-2021-22148	High	7.27.3	Does not affect Artifactory, since it only affects the`org.elasticsearch:elasticsearch`.
CVE-2021-22149	High	7.27.3	Does not affect Artifactory, since it only affects the`org.elasticsearch:elasticsearch.`
CVE-2021-30129	High	7.25.4	Does not affect Artifactory, since it only affects the `org.apache.sshd:sshd-core:2.6.0.`
CVE-2017-18640	High	7.25.4	Does not affect Artifactory, since it only affects the `Snakeyaml 1.23 XML Entity Expansion.`
CVE-2021-27568	Critical	7.25.4	Does not affect Artifactory, since it only affects the `json-smart-1.3.1.`
CVE-2021-27568	Critical	7.25.4	Does not affect Artifactory, since it only affects the `json-smart-1.3.1.`
CVE-2021-26291	Normal	7.24.1	Does not affect Artifactory, since it only affects the Maven version 3.8.1.
CVE-2021-13936	High	7.24.1	Does not affect Artifactory, since it only affects the Apache Velocity engine.
CVE-2018-9116	Critical	7.23.3	Does not affect Artifactory, since it only affects `wiremock`.
CVE-2021-29505	Critical	7.21.3	Does not affect Artifactory, since it only affects `XStream`.
CVE-2021-26291	High	7.21.3	Does not affect Artifactory, since it only affects `Apache Tomcat`.
CVE-2021-21290	Medium	7.21.3	Does not affect Artifactory, since it only affects `netty-codec-http:4.1.53.final.`
CVE-2020-17521	Medium	7.21.3	Does not affect Artifactory, since it only affects `org.codehaus.groovy:groovy-all.`
CVE-2021-22112	High	7.17.4	Does not affect Artifactory, since it only affects `Spring Security Web.`
CVE-2019-17571	Medium	7.15.3	Does not affect Artifactory, since it only affects `log4j-to-slf4j` and `log4j-api.`
CVE-2016-10750	High	7.11.1	Does not affect Artifactory, since it only affects `hazelcast-3.6.1.jar`
CVE-2017-7657	Medium	7.11.1	Does not affect Artifactory, since it only affectsO`rg.eclipse.jetty:jetty-http`
CVE-2017-1000487	High	7.11.1	Does not affect Artifactory, since it only affects `Plexus-utils.`
CVE-2020-25649	High	7.11.1	Does not affect Artifactory, since it only affects `fasterxml.jackson.version`.
CVE-2019-17359	High	7.10.5	Does not affect Artifactory, since it only affects `bcprov-jdk15.`
CVE-2020-7226	High	7.10.5	Does not affect Artifactory, since it only affects at `cryptacular-1.1.1.jar.`
CVE-2020-7692	Critical	7.10.2	Does not affect Artifactory, since it only affects `google-oauth-client` library.
CVE-2019-12402	Medium	7.10.1	Does not affect Artifactory, since it only affects `Commons-compress` library.
CVE-2019-12402	Medium	7.10.1	Does not affect Artifactory, since it only affects `Commons-compress` library.
CVE-2020-15586 golang.org/issue/34902	High	7.10.1	Does not affect Artifactory, since it only affects `Go` 1.14.9.
CVE-2019-20104	High	7.10.1	Does not affect Artifactory, since it only affects `Crowd lib`.
CVE-2017-7957	High	7.10.1	Does not affect Artifactory, since it only affects `XStream`.
CVE-2016-3674	High	7.10.1	Does not affect Artifactory, since it only affects `XStream`.
CVE-2013-7285	Critical	7.10.1	Does not affect Artifactory, since it only affects `XStream`.
CVE-2020-8203	High	7.9.0	Does not affect Artifactory, since it only affects lodash.
CVE-2020-1745	Critical	7.9.0	Does not affect Artifactory, since it only affects `io.undertow:undertow-core / 2.0.15.Final.`
CVE-2017-15095	Critical	7.8.1	Does not affect Artifactory, since it only affects `fge:jackson-coreutils:jar`.
CVE-2017-17485	Critical	7.8.1	Does not affect Artifactory, since it only affects `fge:jackson-coreutils:jar`.
CVE-2017-7525	Critical	7.8.1	Does not affect Artifactory, since it only affects `fge:jackson-coreutils:jar`.
CVE-2020-13935	High	7.7.0	Does not affect Artifactory, since it only affects `Apache Tomcat`.
CVE-2020-13934	High	7.7.0	Does not affect Artifactory, since it only affects `Apache Tomcat`.
CVE-2020-11996	High	7.7.0	Does not affect Artifactory, since it only affects `Apache Tomcat`.
CVE-2020-28500 CVE-2020-8203 CVE-2021-23337	Critical	6.23.25	Does not affect Artifactory, since it only affects `npm lodash` library
CVE-2022-46337	High	N/A	Does not affect Artifactory, as it only affects `derby`. While the usage of the vulnerable version of derby is found, it is not exploitable because it requires administrative access to the machine and the attributes in `system.yaml`. Furthermore, the usage of the Derby database isn’t intended for production setups, it is used as a local database mostly for testing and small-scale installations.
CVE-2022-42252	High	N/A	Does not affect Artifactory, since it only affects `Apache Tomcat`.
CVE-2022-30591	High	N/A	JFrog Artifactory is not affected, since it does not use the `quic-go` through 0.27.0.
CVE-2022-42889	Critical	N/A	JFrog Platformis not affected, since it does not use the impacted packages.
CVE-2016-1000027	Critical	N/A	Does not affect Artifactory, since it does not use the impacted `HttpInvokerServiceExporter` component for providing remote access.
CVE-2022-34305	Medium	N/A	Does not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2022-29885	High	N/A	Does not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.
CVE-2018-10892	High	N/A	Does not affect Artifactory, since only `Traefik` uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.
CVE-2020-0187	Medium	N/A	Does not affect Artifactory, since it only affects the Android Platform.
CVE-2020-0187	Medium	N/A	Does not affect Artifactory, since it only affects the Android Platform.
N/A	Medium	N/A	Does not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.
N/A	Medium	N/A	Does not affect Artifactory, since it only affects `SSLServerSocketAppender` and `{{SSLSocketAppender}}`
CVE-2017-7536	High	N/A	Does not affect Artifactory, since Artifactory is not using `org.hibernate_hibernate-validator`.
CVE-2020-9484	High	N/A	Does not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use.
CVE-2019-11888	High	N/A	This CVE supposedly affects Artifactory 6.x versions. The `golang/go` library is part of the Metadata Service which is not enabled in Artifactory 6.x version.
CVE-2019-14809	High	N/A	This CVE supposedly affects Artifactory 6.x versions. The `golang/go` library is part of the Metadata Service which is not enabled in Artifactory 6.x version.
CVE-2019-0232	High	N/A	The `enableCmdLineArguments` parameter is not enabled in the Apache Tomcat bundled with Artifactory.
CVE-2018-8014	High	N/A	The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.
CVE-2018-1275	High	N/A	The JFrog `Spring Framework` version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability
CVE-2018-8589	Medium	N/A	JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.
CVE-2018-11776	High	N/A	Does not affect Artifactory, since JFrog does not use Apache Struts.
CVE-2018-5925	High	N/A	Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5924	High	N/A	Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.
CVE-2018-5382	High	N/A	Does not affect Artifactory, since JFrog does not use `BKS-V1 keystore`.
CVE-2018-1260	High	N/A	Does not affect Artifactory, since JFrog does not use `Spring Security Oauth`.
CVE-2018-1259	High	N/A	Does not affect Artifactory, since JFrog does not use `Spring Data Commons`.
CVE-2017-5664	High	N/A	Does not affect Artifactory, since the default value for the `readOnly` property in the DefaultServlet is "`true" (readOnly=true)` in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."
CVE-2017-5648	Critical	N/A	Does not affect Artifactory, since the the `tomcat/webapps` folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.
CVE-2017-5647	High	N/A	Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.
CVE-2017-5638	Critical	N/A	Artifactory is not affected by the Apache Struts 2 vulnerability.
CVE-2014-0097	High	N/A	For LDAP authentication, Artifactory strictly uses the `ArtifactoryLdapAuthenticationProvider` class that uses the `ArtifactoryLdapAuthenticator`, wrapping the `ArtifactoryBindAuthenticator`. The latter class is the one used to perform the actual authentication and it does check for empty passwords. Artifactory does not use any other provider with LDAP, such as `ActiveDirectoryLdapAuthenticationProvider`. This JIRA issue refers to an older class name, `ActiveDirectoryLdapAuthenticator`, that is not part of Spring Security and Artifactory.
CVE-2008-4108	High	N/A	Does not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.
CVE-2005-2541	High	N/A	Does not affect Artifactory, since Artifactory uses `Tar` 1.30.1.