CVEs Not Impacting Artifactory

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

The following is a list of CVEs that do not impact Artifactory.

CVE

Severity

Artifactory Fix Version

Reason

CVE-2024-45410

Medium

7.90.13

The component using this functionality already forward those HTTP headers by design, hence this vulnerability didn't introduce any new behavior.

CVE-2021-28168

CVE-2020-36518

CVE-2021-46877

CVE-2022-2048

CVE-2022-42003

CVE-2022-42004

CVE-2023-36478

CVE-2023-44487

High

7.95.0

Does not affect Artifactory as the vulnerable functionality is not in use.

CVE-2024-39321

High

7.92.0

Does not affect Artifactory is as it doesn't make use of the traefik IP filtering feature.

CVE-2023-44487

Critical

7.90.5

Does not affect Artifactory as it only affects libnghttp

CVE-2023-29402

Critical

7.90.5

Does not affect Artifactory as it only affects golang

CVE-2023-4016

High

7.90.5

Does not affect Artifactory as it only affects go-pkgs

CVE-2023-32665

High

7.90.5

Does not affect Artifactory as it only affects gLib

CVE-2023-32611

High

7.90.5

Does not affect Artifactory as it only affects gLib

CVE-2023-29499

High

7.90.5

Does not affect Artifactory as it only affects gLib

CVE-2023-29469

High

7.90.5

Does not affect Artifactory as it only affects libxml2

CVE-2023-2602

High

7.90.5

Does not affect Artifactory as it only affects libxml2

CVE-2021-38561

High

7.90.5

Does not affect Artifactory as it only affects golang

CVE-2020-7919

High

7.90.5

Does not affect Artifactory as it only affects golang

CVE-2019-11254

High

7.90.5

Does not affect Artifactory as it only affects gopkg

CVE-2018-1099

High

7.90.5

Does not affect Artifactory as it only affects gopkg

CVE-2023-39325

High

7.90.5

Does not affect Artifactory as it only affects golang

CVE-2023-24539

High

7.90.5

Does not affect Artifactory as it only affects golang

CVE-2023-29400

High

7.90.5

Does not affect Artifactory as it only affects golang

CVE-2024-34750

High

7.91.1

Does not impact Artifactory, as Artifactory does not use the vulnerable Apache Tomcat configuration.

CVE-2024-29857

Medium

N/A

Does not affect Artifactory, as Artifactory does not use the Bouncy Castle Java project in a vulnerable way.

CVE-2020-1712

High

7.86.0

The CVE is present only in the docker image and does not affect Artifactory.

CVE-2024-1459

High

7.86.0

Does not affect Artifactory, as it only affects undertow-core.

CVE-2024-28849

Medium

7.86.0

Does not affect Artifactory, as it only affects Axios.

CVE-2022-1471

Critical

7.84.3

Does not affect Artifactory, as the Artifactory usage of snakeyaml is not exploitable.

CVE-2024-25710

CVE-2024-26308

High

7.83.1

Upgraded Apache commons to version 9.0.87.

CVE-2023-4586

High

7.81.1

Does not affect Artifactory, as it only affects netty-handler.

CVE-2023-2976

Medium

7.81.1

Does not affect Artifactory, as it only affects guava.

CVE-2024-21626

High

7.80.0

Does not affect Artifactory, as it only affects runc.

CVE-2023-39325

CVE-2023-44487

High

7.79.2

Does not affect Artifactory, as it only affects golang.

CVE-2023-24539

CVE-2023-29400

High

7.79.2

Does not affect Artifactory, as it only affects golang.

CVE-2023-39323

Critical

7.76.0

Does not affect Artifactory, as it only affects golang.

CVE-2023-6378

High

7.76.0

Does not affect Artifactory, as it only affects logback-classic.

CVE-2023-44487

High

7.76.0

Does not affect Artifactory, as it only affects golang.

CVE-2023-45857

Medium

7.75.0

Does not affect Artifactory, as in the location where a vulnerable version of the Axios package is used, the vulnerability relates to a cookie but the communication is server-to-server (which doesn't use cookies).

CVE-2023-39325

High

7.71.5

Does not affect Artifactory, as it only affects go.

CVE-2023-24540

Critical

7.71.2

Does not affect Artifactory, as it only affects go.

CVE-2023-4759

High

7.71.2

Does not affect Artifactory, as it only affects jgit.

CVE-2023-2253

High

7.71.2

Does not affect Artifactory, as it only affects distribution.

CVE-2023-24540

Critical

7.70.2

Does not affect Artifactory, as it only affects Golang.

CVE-2023-41080

High

7.68.11

Does not affect Artifactory, as it only affects Apache Tomcat.

CVE-2023-29403

High

7.68.6

Does not affect Artifactory, since it only affects yq.

CVE-2022-4450

CVE-2023-0215

High

7.68.6

Does not affect Artifactory, since it only affects openssl-libs.

CVE-2023-34035

High

7.68.6

Does not affect Artifactory, since it only affects spring-security-config.

CVE-2023-2976

Medium

7.68.6

Does not affect Artifactory, since it only affects guava.

CVE-2023-26136

Critical

7.66.3

Does not affect Artifactory, since it only affects tough-cookie.

CVE-2023-29404

Critical

7.66.3

Does not affect Artifactory, since it only affects golang.

CVE-2023-2976

High

7.66.3

Does not affect Artifactory, since it only affects guava.

CVE-2023-35116

High

7.66.3

Does not affect Artifactory, since it only affects jackson-databind.

CVE-2023-32731

CVE-2023-1428

CVE-2023-32732

High

7.66.3

Does not affect Artifactory, since it only affects grpc.

CVE-2023-26115

Medium

7.66.3

Does not affect Artifactory, since it only affects word-wrap.

CVE-2022-25883

Medium

7.66.3

Does not affect Artifactory, since it only affects semver.

CVE-2023-24539

Medium

7.66.3

Does not affect Artifactory, since it only affects go.

CVE-2023-29401

Medium

7.66.3

Does not affect Artifactory, since it only affects gin-gonic.

CVE-2023-29404

Critical

7.65.3

Does not affect Artifactory, since it only affects golang.

CVE-2016-2510

High

7.65.3

Does not affect Artifactory, since it only affects beanshell.

CVE-2023-26048

Medium

7.65.3

Does not affect Artifactory, since it only affects jetty-server.

CVE-2023-1732

Medium

7.65.3

Does not affect Artifactory, since it only affects circl.

CVE-2023-34462

Medium

7.65.3

Does not affect Artifactory, since it only affects netty-handler.

CVE-2023-2976

Medium

7.65.3

Does not affect Artifactory, since it only affects guava.

CVE-2022-25883

Medium

7.65.3

Does not affect Artifactory, since it only affects semver.

CVE-2023-29404

Critical

7.64.4

Does not impact Artifactory, since it only affects golang.

CVE-2023-29400

High

7.64.4

Does not impact Artifactory, since it only affects golang.

CVE-2023-1732

Medium

7.64.4

Does not impact Artifactory, since it only affects circl.

CVE-2023-2976

Medium

7.64.4

Does not impact Artifactory, since it only affects guava.

CVE-2022-25883

Medium

7.64.4

Does not impact Artifactory, since it only affects semver.

CVE-2023-28709

High

7.63.5

Does not affect Artifactory, since it only impacts Apache Tomcat.

CVE-2023-20863

High

7.61.3

Does not affect Artifactory, since it only impacts spring-core.

CVE-2022-41722

High

7.61.3

Does not affect Artifactory, since it only impacts golangci-lint.

CVE-2023-27561

High

7.61.3

Does not affect Artifactory, since it only impacts runc.

CVE-2023-0286

High

7.61.3

Does not affect Artifactory, since it only impacts openssl-libs.

CVE-2022-25857

CVE-2022-41854

High

7.61.3

Does not affect Artifactory, since it only impacts snakeyaml.

CVE-2023-28708

High

7.61.3

Does not affect Artifactory, since it only impacts apache tomcat.

CVE-2023-28642

CVE-2023-25809

Medium

7.61.3

Does not affect Artifactory, since it only impacts runc.

CVE-2023-28842

CVE-2023-28840

Medium

7.61.3

Does not affect Artifactory, since it only impacts docker.

CVE-2023-26125

Medium

7.61.3

Does not affect Artifactory, since it only impacts gin-gonic.

CVE-2023-0845

Medium

7.61.3

Does not affect Artifactory, since it only impacts hashicorp.

CVE-2023-1370

High

7.59.5

Does not affect Artifactory, since it only affects json-smart.

CVE-2022-41722

CVE-2022-41725

CVE-2022-41724

High

7.59.5

Does not affect Artifactory, since it only affects Golang.

CVE-2022-41723

High

7.59.5

Does not affect Artifactory, since it only affects Golang.

CVE-2022-25857

High

7.58.5

Doesn't impact Artifactory, since it only affects SnakeYAML.

CVE-2022-41723

High

7.58.1

Doesn't impact Artifactory, since it only affects Golang.

CVE-2022-43551

High

7.58.1

Doesn't impact Artifactory, since it only affects curl.

CVE-2022-41717

Medium

7.58.1

Doesn't impact Artifactory, since it only affects yq.

CVE-2022-41722

High

7.58.0

Doesn't affect Artifactory, since it only affects Golang.

CVE-2022-41720

High

7.58.0

Doesn't affect Artifactory, since it only affects Golang.

CVE-2022-41716

High

7.58.0

Doesn't affect Artifactory, since it only affects Golang.

CVE-2022-2526

High

7.58.0

Doesn't affect Artifactory, since it only affects systemd-libs.

CVE-2017-1000487

Critical

7.57.1

Does not affect Artifactory, since it only affects plexus-utils.

CVE-2023-25173

Medium

7.57.1

Does not affect Artifactory, since it only affects containerd.

CVE-2022-41716

High

7.56.2

Does not affect Artifactory, since it only affects Golang.

CVE-2022-38900

High

7.56.2

Does not affect Artifactory, since it only affects decode-uri-components.

CVE-2022-41720

High

7.56.2

Does not affect Artifactory, since it only affects Golang.

CVE-2022-23471

Medium

7.56.2

Does not affect Artifactory, since it only affects containerd.

CVE-2022-45143

High

7.55.1

Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2022-42916

High

7.55.1

Does not affect Artifactory, since it only affects curl.

CVE-2022-27664

High

7.55.1

Does not affect Artifactory, since it only affects Golang.

CVE-2022-41716

CVE-2022-41715

CVE-2022-2880

CVE-2022-2879

High

7.55.1

Does not affect Artifactory, since it only affects Go.

CVE-2022-42004

High

7.55.1

Does not affect Artifactory, since it only affects jackson-databind.

CVE-2022-42003

High

7.55.1

Does not affect Artifactory, since it only affects jackson-databind.

CVE-2022-25857

High

7.55.1

Does not affect Artifactory, since it only affects SnakeYAML.

CVE-2022-3171

High

7.55.1

Does not affect Artifactory, since it only affects protobuf-java.

CVE-2022-41720

High

7.55.1

Does not affect Artifactory, since it only affects Go.

CVE-2022-46175

High

7.55.1

Does not affect Artifactory, since it only affects JSON5.

CVE-2021-26291

Critical

7.53.1

Does not affect Artifactory, since it only affects Apache Maven.

CVE-2022-42898

High

7.53.1

Does not affect Artifactory, since it only affects krb5-libs.

CVE-2022-32149

High

7.53.1

Does not affect Artifactory, since it only affects Golang.

CVE-2022-23539

CVE-2022-23529

High

7.53.1

Does not affect Artifactory, since it only affects jsonwebtoken.

CVE-2022-4065

High

7.53.1

Does not affect Artifactory, since it only affects testng.

CVE-2022-41716

High

7.53.1

Does not affect Artifactory, since it only affects Golang.

CVE-2022-27664

High

7.53.1

Does not affect Artifactory, since it only affects Golang.

CVE-2022-31030

Medium

7.53.1

Does not affect Artifactory, since it only affects Containerd.

CVE-2022-41854

Medium

7.53.1

Does not affect Artifactory, since it only affects SnakeYAML.

CVE-2022-45047

Critical

7.52.0

Does not affect Artifactory, since it only affects Apache MINA SSHD.

CVE-2022-25857

CVE-2022-1471

High

7.52.0

Does not affect Artifactory, since it only affects SnakeYAML.

CVE-2022-1552

High

7.52.0

Does not affect Artifactory, since it only affects Postgres.

CVE-2022-27664

High

7.52.0

Does not affect Artifactory, since it only affects Golang.

CVE-2022-41720

High

7.52.0

Does not affect Artifactory, since it only affects Golang.

CVE-2022-28948

High

7.52.0

Does not affect Artifactory, since it only affects Go-yaml.

CVE-2021-33194

High

7.52.0

Does not affect Artifactory, since it only affects golang.org/x/net.

CVE-2022-39271

GHSA-c6hx-pjc3-7fqr

High

7.52.0

Does not affect Artifactory, since it only affects traefik.

CVE-2022-31159

High

7.52.0

Does not affect Artifactory, since it only affects aws-java-sdk.

CVE-2022-40716

Medium

7.52.0

Does not affect Artifactory, since it only affects hashicorp.

CVE-2022-41915

Medium

7.52.0

Does not affect Artifactory, since it only affects Netty.

CVE-2022-38749

Medium

7.52.0

Does not affect Artifactory, since it only affects SnakeYAML and common.

CVE-2022-32190

Critical

7.50.3

Does not affect Artifactory, since it only affects Go

CVE-2022-37866

High

7.50.3

Doesn't affect Artifactory, since it only affects org.apache.ivy:ivy.

CVE-2022-31197

High

7.50.3

Doesn't affect Artifactory, since it only affects org.postgresql:postgresql.

CVE-2016-5425

CVE-2016-6325

High

7.50.3

Doesn't affect Artifactory, since it only affects tomcat-jdbc.

CVE-2022-42003

CVE-2022-42004

High

7.49.3

Doesn't affect Artifactory, since it only affects java commons.

CVE-2022-25857

High

7.49.3

Does not affect Artifactory, since it only affects Upgraded snakeyaml

CVE-2022-40151

High

7.49.3

Does not affect Artifactory, since it only affects woodstox-core

CVE-2022-32149

High

7.49.3

Does not affect Artifactory, since it only affects golang

CVE-2022-27664

High

7.49.3

Does not affect Artifactory, since it only affects Go

GHSA-3mc7-4q67-w48m

GHSA-98wm-3w3q-mw94

GHSA-9w3m-gqgf-c4p9

GHSA-c4r9-r8fh-9vj2

GHSA-hhhw-99gj-p3c3

High

7.49.3

Does not affect Artifactory, since it only affects snakeyaml

CVE-2022-3171

High

7.49.3

Does not affect Artifactory, since it only affects protobuf-java

CVE-2022-42003

CVE-2022-42004

GHSA-jjjh-jjxp-wpff

GHSA-rgv9-q543-rqg4

High

7.49.3

Does not affect Artifactory, since it only affects jackson-databind

CVE-2022-29526

Medium

7.49.3

Does not affect Artifactory, since it only affects yq

CVE-2022-3171

Medium

7.49.3

Does not affect Artifactory, since it only affects io.grpc::grpc-*

CVE-2022-36033

Medium

7.49.3

Does not affect Artifactory, since it only affects jsoup

CVE-2022-38752

Medium

7.49.3

Does not affect Artifactory, since it only affects commons

CVE-2022-1348

Medium

7.49.3

Does not affect Artifactory, since it only affects logrotate

CVE-2019-20444

CVE-2019-20445

CVE-2019-16869

Critical

7.47.7

Does not affect Artifactory, since it only affectssoftware.amazon.awssdk:licensemanager.

CVE-2021-26291

Critical

7.47.7

Does not affect Artifactory, since it only affects org.apache.maven.maven-project.

CVE-2022-1962

CVE-2022-28131

CVE-2022-30633

CVE-2022-30635

Critical

7.47.7

Does not affect Artifactory, since it only affects snakeyaml.

CVE-2021-44906

High

7.47.7

Does not affect Artifactory, since it only affects grpc-tools.

CVE-2021-3807

High

7.47.7

Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-25857

High

7.47.7

Does not affect Artifactory, since it only affects snakeyaml.

CVE-2022-22970

High

7.46.3

Does not affect Artifactory, since it only affects org.springframework:spring-beans.

CVE-2022-24823

Medium

7.47.7

Does not affect Artifactory, since it only affects io.netty.

CVE-2020-7789

Medium

7.47.7

Does not affect Artifactory, since it only affects

grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-0235

Medium

7.47.7

Does not affect Artifactory, since it only affects grpc-tools and grpc_tools_node_protoc_ts.

CVE-2022-30187

Medium

7.47.7

Does not affect Artifactory, since it only affectsazure-storage-blob andv azure-core-http-okhttp.

CVE-2020-7608

Medium

7.47.7

Does not affect Artifactory, since it only affects grpc-tools and

grpc_tools_node_protoc_ts.

CVE-2022-25878

Medium

7.47.7

Does not affect Artifactory, since it only affects grpc-tools and

grpc_tools_node_protoc_ts.

CVE-2022-27191

Medium

7.47.7

Does not affect Artifactory, since it only affects grpc-tools and

http://grpc_tools_node_protoc_ts.golang.org/x/crypt.

CVE-2022-27191

Medium

7.46.3

Does not affect Artifactory, since it only affects golang.org/x/crypto/ssh .

CVE-2022-31030

Medium

7.46.3

Does not affect Artifactory, since it only affects containerd.

CVE-2022-22968

Medium

7.46.3

Does not affect Artifactory, since it only affects org.springframework:spring-context.

CVE-2022-31197

Medium

7.46.3

Does not affect Artifactory, since it only affects org.postgresql:postgresql.

CVE-2021-37136

CVE-2021-37137

Critical

7.46.3

Does not affect Artifactory, since it only affects io.netty:netty-codec:4.1.63.

CVE-2020-36518

High

7.46.3

Does not affect Artifactory, since it only affects jackson-databind.

CVE-2022-22963

Critical

7.46.3

Does not affect Artifactory, since it only affects spring-core5.3.18.

CVE-2022-2048

High

7.46.3

Does not affect Artifactory, since it only affects org.eclipse.jetty.

CVE-2022-31159

High

7.46.3

Does not affect Artifactory, since it only affects aws-java-sdk.

CVE-2021-3807

High

7.46.3

Does not affect Artifactory, since it only affects jest-junitandansi-regex.

CVE-2020-28469

High

7.46.3

Does not affect Artifactory, since it only affects glob-parent.

CVE-2021-20066

Medium

7.46.3

Does not affect Artifactory, since it only affects jest.

CVE-2022-0235

Medium

7.46.3

Does not affect Artifactory, since it only affects grpc-tools.

CVE-2020-7608

Medium

7.46.3

Does not affect Artifactory, since it only affects yargs and yargs-parser.

CVE-2022-22950

Medium

7.46.3

Does not affect Artifactory, since it only affects org.springframework:spring-expression.

CVE-2021-22096

CVE-2021-22060

Medium

7.46.3

Does not affect Artifactory, since it only affects org.spring framework:spring-core.

CVE-2022-24823

Medium

7.46.3

Does not affect Artifactory, since it only affectsio.netty:netty-common.

CVE-2018-25031

CVE-2021-46708

Medium

7.46.3

Does not affect Artifactory, since it only affects com.github.tomakehurst:wiremock-jre8.

CVE-2021-43797

Medium

7.46.3

Does not affect Artifactory, since it only affects io.netty:netty-codec-http.

CVE-2022-1962

CVE-2022-28131

CVE-2022-30633

CVE-2022-30635

Critical

7.46.3

Does not affect Artifactory, since it only affects github.com/golang/go.

CVE-2022-22971

Critical

7.42.1

Does not affect Artifactory, since it only affects spring-core.

CVE-2020-36518

High

7.42.1

Does not affect Artifactory, since it only affects fasterxml.jackson.version.

CVE-2020-36518

High

7.41.4

Does not affect Artifactory, since it only affects jackson-databind.

CVE-2022-24823

Medium

7.41.4

Does not affect Artifactory, since it only affects netty-common.

CVE-2021-3859

High

7.41.4

Does not affect Artifactory, since it only affects Red Hat undertow-core.

CVE-2022-22963

Critical

7.41.4

Does not affect Artifactory, since it only affectsspring-core.

CVE-2021-22119

High

7.41.4

Does not affect Artifactory, since it only affectsspring-security-oauth2.

CVE-2022-23632

Critical

7.39.4

Does not affect Artifactory, since it only affectsTraefik.

CVE-2022-29153

High

7.39.4

Does not affect Artifactory, since it only affects consul.

CVE-2022-24769

Medium

7.39.4

Does not affect Artifactory, since it only affectscontainerd.

CVE-2022-27191

High

7.39.4

Does not affect Artifactory, since it only affectsgolang.org/x/crypto/ssh.

CVE-2022-23648

High

7.39.4

Does not affect Artifactory, since it only affects to containerd.

CVE-2022-0536

Medium

7.39.4

Does not affect Artifactory, since it only affects nodejs clients's axios.

CVE-2021-43797

Medium

7.37.13

Does not affect Artifactory, since it only affects Netty.

CVE-2021-3807

High

7.37.13

Does not affect Artifactory, since it only affects ansi-regex.

CVE-2022-23806

Critical

7.37.13

Does not affect Artifactory, since it only affects Curve.IsOnCurve in crypto/elliptic in Go.

CVE-2021-41090

Medium

7.35.1

Does not affect Artifactory, since it only affectsdocker and image-spec.

CVE-2021-22060

Medium

7.34.4

Does not affect Artifactory, since it only affects org.springframework:spring-core:5.3.12.

CVE-2021-42550

Medium

7.31.10

Does not affect Artifactory, since it only affects logback.xml.

CVE-2017-9506

Medium

7.31.10

Does not affect Artifactory, since it only affects IconUriServlet of the Atlasssian OAuth Plugin.

CVE-2015-2575

Medium

7.31.10

Does not affect Artifactory, since it only affects mysql:mysql-connector-java:8.0.20.

CVE-2021-42340

High

7.31.10

Does not affect Artifactory, since it only affects the Apache Tomcat versions:

9.0.48 and 8.5.73.

CVE-2020-13949

High

7.31.10

Does not affect Artifactory, since it only affects the jaeger 1.6.0 which uses Thrift 0.14.1.

CVE-2021-35560

CVE-2021-35550

CVE-2021-35556

CVE-2021-35561

CVE-2021-35564

CVE-2021-35565

CVE-2021-35567

CVE-2021-35578

CVE-2021-35586

CVE-2021-35588

CVE-2021-35603

High

7.31.10

Does not affect Artifactory, since they only affect Java.

CVE-2021-36374

Medium

7.31.10

Does not affect Artifactory, since it only affects theApache ant-1.9.15.

CVE-2021-33037

Medium

7.27.3

Does not affect Artifactory, since it only affects the Apache Tomcat.

CVE-2021-22147

High

7.27.3

Does not affect Artifactory, since it only affects theorg.elasticsearch:elasticsearch.

CVE-2021-22148

High

7.27.3

Does not affect Artifactory, since it only affects theorg.elasticsearch:elasticsearch.

CVE-2021-22149

High

7.27.3

Does not affect Artifactory, since it only affects theorg.elasticsearch:elasticsearch.

CVE-2021-30129

High

7.25.4

Does not affect Artifactory, since it only affects the org.apache.sshd:sshd-core:2.6.0.

CVE-2017-18640

High

7.25.4

Does not affect Artifactory, since it only affects the Snakeyaml 1.23 XML Entity Expansion.

CVE-2021-27568

Critical

7.25.4

Does not affect Artifactory, since it only affects the json-smart-1.3.1.

CVE-2021-27568

Critical

7.25.4

Does not affect Artifactory, since it only affects the json-smart-1.3.1.

CVE-2021-26291

Normal

7.24.1

Does not affect Artifactory, since it only affects the Maven version 3.8.1.

CVE-2021-13936

High

7.24.1

Does not affect Artifactory, since it only affects the Apache Velocity engine.

CVE-2018-9116

Critical

7.23.3

Does not affect Artifactory, since it only affects wiremock.

CVE-2021-29505

Critical

7.21.3

Does not affect Artifactory, since it only affects XStream.

CVE-2021-26291

High

7.21.3

Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2021-21290

Medium

7.21.3

Does not affect Artifactory, since it only affects netty-codec-http:4.1.53.final.

CVE-2020-17521

Medium

7.21.3

Does not affect Artifactory, since it only affects org.codehaus.groovy:groovy-all.

CVE-2021-22112

High

7.17.4

Does not affect Artifactory, since it only affects Spring Security Web.

CVE-2019-17571

Medium

7.15.3

Does not affect Artifactory, since it only affects log4j-to-slf4j and log4j-api.

CVE-2016-10750

High

7.11.1

Does not affect Artifactory, since it only affects hazelcast-3.6.1.jar

CVE-2017-7657

Medium

7.11.1

Does not affect Artifactory, since it only affectsOrg.eclipse.jetty:jetty-http

CVE-2017-1000487

High

7.11.1

Does not affect Artifactory, since it only affects Plexus-utils.

CVE-2020-25649

High

7.11.1

Does not affect Artifactory, since it only affects fasterxml.jackson.version.

CVE-2019-17359

High

7.10.5

Does not affect Artifactory, since it only affects bcprov-jdk15.

CVE-2020-7226

High

7.10.5

Does not affect Artifactory, since it only affects at cryptacular-1.1.1.jar.

CVE-2020-7692

Critical

7.10.2

Does not affect Artifactory, since it only affects google-oauth-client library.

CVE-2019-12402

Medium

7.10.1

Does not affect Artifactory, since it only affects Commons-compress library.

CVE-2019-12402

Medium

7.10.1

Does not affect Artifactory, since it only affects Commons-compress library.

CVE-2020-15586

golang.org/issue/34902

High

7.10.1

Does not affect Artifactory, since it only affects Go 1.14.9.

CVE-2019-20104

High

7.10.1

Does not affect Artifactory, since it only affects Crowd lib.

CVE-2017-7957

High

7.10.1

Does not affect Artifactory, since it only affects XStream.

CVE-2016-3674

High

7.10.1

Does not affect Artifactory, since it only affects XStream.

CVE-2013-7285

Critical

7.10.1

Does not affect Artifactory, since it only affects XStream.

CVE-2020-8203

High

7.9.0

Does not affect Artifactory, since it only affects lodash.

CVE-2020-1745

Critical

7.9.0

Does not affect Artifactory, since it only affects io.undertow:undertow-core / 2.0.15.Final.

CVE-2017-15095

Critical

7.8.1

Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar.

CVE-2017-17485

Critical

7.8.1

Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar.

CVE-2017-7525

Critical

7.8.1

Does not affect Artifactory, since it only affects fge:jackson-coreutils:jar.

CVE-2020-13935

High

7.7.0

Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-13934

High

7.7.0

Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-11996

High

7.7.0

Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2020-28500

CVE-2020-8203

CVE-2021-23337

Critical

6.23.25

Does not affect Artifactory, since it only affects npm lodash library

CVE-2022-46337

High

N/A

Does not affect Artifactory, as it only affects derby.

While the usage of the vulnerable version of derby is found, it is not exploitable because it requires administrative access to the machine and the attributes in system.yaml. Furthermore, the usage of the Derby database isn’t intended for production setups, it is used as a local database mostly for testing and small-scale installations.

CVE-2022-42252

High

N/A

Does not affect Artifactory, since it only affects Apache Tomcat.

CVE-2022-30591

High

N/A

JFrog Artifactory is not affected, since it does not use the quic-go through 0.27.0.

CVE-2022-42889

Critical

N/A

JFrog Platformis not affected, since it does not use the impacted packages.

CVE-2016-1000027

Critical

N/A

Does not affect Artifactory, since it does not use the impacted HttpInvokerServiceExporter component for providing remote access.

CVE-2022-34305

Medium

N/A

Does not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.

CVE-2022-29885

High

N/A

Does not affect Artifactory, since it does not use the impacted component that is included in the Apache Tomcat version.

CVE-2018-10892

High

N/A

Does not affect Artifactory, since only Traefik uses it, and thereby applies only if the Docker Provider is turned on, which is not the case in Artifactory.

CVE-2020-0187

Medium

N/A

Does not affect Artifactory, since it only affects the Android Platform.

CVE-2020-0187

Medium

N/A

Does not affect Artifactory, since it only affects the Android Platform.

N/A

Medium

N/A

Does not affect Artifactory, as it applies only when using Apache Sling which is not the case in Artifactory.

N/A

Medium

N/A

Does not affect Artifactory, since it only affects SSLServerSocketAppender and {{SSLSocketAppender}}

CVE-2017-7536

High

N/A

Does not affect Artifactory, since Artifactory is not using org.hibernate_hibernate-validator.

CVE-2020-9484

High

N/A

Does not affect Artifactory, since the vulnerability is exploitable in case Tomcat is configured with PersistenceManager, which Artifactory does not use.

CVE-2019-11888

High

N/A

This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version.

CVE-2019-14809

High

N/A

This CVE supposedly affects Artifactory 6.x versions. The golang/go library is part of the Metadata Service which is not enabled in Artifactory 6.x version.

CVE-2019-0232

High

N/A

The enableCmdLineArguments parameter is not enabled in the Apache Tomcat bundled with Artifactory.

CVE-2018-8014

High

N/A

The JFrog Apache Tomcat version is 8.5.32, which is not one of the vulnerable versions.

CVE-2018-1275

High

N/A

The JFrog Spring Framework version is 4.1.8, which is vulnerable to the CVE, as the version is unsupported. However, because JFrog does not implement STOMP broker, we are not exposed to this vulnerability

CVE-2018-8589

Medium

N/A

JFrog is not responsible for vulnerabilities in the Windows operating system. Anyone using an on-premises environment should keep the Windows operating system up to date.

CVE-2018-11776

High

N/A

Does not affect Artifactory, since JFrog does not use Apache Struts.

CVE-2018-5925

High

N/A

Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.

CVE-2018-5924

High

N/A

Does not affect Artifactory, since the issue relates to certain HP Inkjet printers and is not relevant to JFrog.

CVE-2018-5382

High

N/A

Does not affect Artifactory, since JFrog does not use BKS-V1 keystore.

CVE-2018-1260

High

N/A

Does not affect Artifactory, since JFrog does not use Spring Security Oauth.

CVE-2018-1259

High

N/A

Does not affect Artifactory, since JFrog does not use Spring Data Commons.

CVE-2017-5664

High

N/A

Does not affect Artifactory, since the default value for the readOnly property in the DefaultServlet is "true" (readOnly=true) in our environment. As mentioned in the CVE, you are only vulnerable: "...if the DefaultServlet is configured to permit writes..."

CVE-2017-5648

Critical

N/A

Does not affect Artifactory, since the the tomcat/webapps folder only contains the Artifactory WAR and the Access WAR files used by the bundled Tomcat distribution.

CVE-2017-5647

High

N/A

Does not affect Artifactory, since the issue refers/relates only to the "Send File" service which is not used by Artifactory.

CVE-2017-5638

Critical

N/A

Artifactory is not affected by the Apache Struts 2 vulnerability.

CVE-2014-0097

High

N/A

For LDAP authentication, Artifactory strictly uses the ArtifactoryLdapAuthenticationProvider class that uses the ArtifactoryLdapAuthenticator, wrapping the ArtifactoryBindAuthenticator. The latter class is the one used to perform the actual authentication and it does check for empty passwords.

Artifactory does not use any other provider with LDAP, such as ActiveDirectoryLdapAuthenticationProvider. This JIRA issue refers to an older class name, ActiveDirectoryLdapAuthenticator, that is not part of Spring Security and Artifactory.

CVE-2008-4108

High

N/A

Does not affect Artifactory, since Artifactory Jfrog does not require Python to be installed; the CVE is not relevant for Jfrog.

CVE-2005-2541

High

N/A

Does not affect Artifactory, since Artifactory uses Tar 1.30.1.