CVEs Not Impacting Distribution

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

The following is a list of CVEs that do not impact Distribution.

CVE

Severity

Distribution Fix Version

Reason

CVE-2024-38816

High

2.27.2

Upgraded Spring Framework to a fixed version due to a vulnerability to path traversal attacks.

CVE-2024-24790

Critical

2.27.2

Upgraded observability to a fixed version.

CVE-2024-21634

High

2.26.1

Upgraded Amazon Ion to a fixed version.

CVE-2024-22262

High

2.25.1

Upgraded Spring Framework to a fixed version.

CVE-2023-33202

Medium

2.24.0

Upgraded Bouncy Castle to a fixed version.

CVE-2024-29025

Medium

2.24.0

Upgraded Netty to a fixed version.

CVE-2204-22257

High

2.24.0

Upgraded Spring Security to a fixed version.

CVE-2023-34462

Medium

2.21.3

Upgraded netty-handler to a fixed version.

CVE-2023-44487

High

2.21.3

Upgraded netty-codec-http2 to a fixed version.

CVE-2023-34462

Medium

2.20.2

Upgraded Netty to a fixed version.

CVE-2023-2976

High

2.20.1

Upgraded Google Guava to a fixed version.

CVE-2023-34104

High

2.19.1

Upgraded fast-xml-parser to a fixed version.

CVE-2023-20859

Medium

2.19.1

Upgraded Spring Vault core to a fixed version.

CVE-2023-1370

High

2.18.1

Upgraded to a fixed version.

CVE-2022-1471

Medium

2.18.1

Upgraded the SnakeYAML library to a fixed version.

CVE-2023-20873

Critical

2.18.1

Upgraded Spring Boot to a fixed version.

CVE-2023-20863

Medium

2.18.1

Upgraded Spring Framework to a fixed version.

CVE-2023-20862

Critical

2.18.1

Upgraded Spring Security to a fixed version.

CVE-2023-20860

High

2.18.1

Upgraded to a fixed version.

CVE-2022-45868

High

N/A

This dependency is used in the development process only and does not impact the final product.

CVE-2022-41915

Medium

N/A

Upgraded to a fixed version.

CVE-2022-45143

High

N/A

Distribution doesn’t use the API related to this vulnerability.

CVE-2022-38900

High

N/A

Updated the UI common library.

CVE-2022-21222

High

N/A

This dependency is used in the development process only and is not included in the final product deployment.

CVE-2022-45143

High

N/A

Distribution does not use the vulnerable API.

CVE-2022-41946

Medium

N/A

Updating the drivers to 42.5.1 fixed the vulnerability.

CVE-2022-42889

Critical

N/A

Upgraded to a fixed version, although Distribution does not use the vulnerable API.

CVE-2022-31692

Critical

N/A

Upgraded to a fixed version.

CVE-2022-3171

High

N/A

Upgraded to a fixed version.

CVE-2022-42004

High

N/A

Upgraded to a fixed version.

CVE-2022-38750

Medium

N/A

Upgraded to a fixed version.

CVE-2022-38749

Medium

N/A

Upgraded to a fixed version.

CVE-2022-1471

Critical

N/A

Does not affect Distribution since Distribution does not use the potentially-harmful constructor.

CVE-2022-42252

High

N/A

Does not affect Distribution since the product uses Tomcat version 9.0.58 and doesn’t redefine rejectIllegalHeader, so its effective value is “true“ (default).

CVE-2016-1000027

Critical

N/A

Does not affect Distribution since Distribution is not using the vulnerable API.

CVE-2022-22978

High

N/A

Upgraded spring-security-web to version 5.7.0.

CVE-2022-22968

Medium

N/A

Upgraded spring-context to version 5.3.21.

CVE-2022-22970

Medium

N/A

Upgraded spring-beans to version 5.3.21.

CVE-2021-21309

Critical

N/A

Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.

CVE-2022-24785

High

2.12.3

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

CVE-2022-21724

Medium

2.12.0

pgjdbc, the official PostgreSQL JDBC Driver, has been upgraded to version 42.2.25.

CVE-2021-42550

Medium

2.11.0

Upgraded the logback.xml to version 1.2.9.

CVE-2022-24823

Medium

N/A

Does not affect Distribution, since the vulnerability only impacts applications running on Java version 6 and lower.