Vulnerabilities Without a CVE Impacting Artifactory

JFrog Release Information

Content Type
Release Notes
ft:sourceType
Paligo

The following is a list of vulnerabilities that do not have a CVE that impacted Artifactory and have been fixed.

Description

Severity

Artifactory Fix Version

Updated jackson-dataformats-binaryto version 2.12.3.

High

7.21.3

Excluded the Plexus-cipher library.

Medium

7.21.3

Upgraded om.nimbusds:oauth2-oidc-sdk:6.14 to 9.9.3.

High

7.21.3

Upgraded to wiremock-jre8 version 2.28.0.

High

7.21.3

Upgraded maven-shared-utils:3.2.1 to version 334.

Critical

7.21.3

Under certain circumstances, authenticated users were able to:

  • Retrieve environment information from Artifactory that normally required administrative rights.

  • Deploy binaries to Artifactory from different upstreams without having adequate permissions to perform these actions.

Critical

6.13.3, 6.14.4, 6.15.2, 6.16.2, 6.17.1, 6.18.1, 7.3.2

Under certain circumstances, users could gain access to application data that should otherwise be exposed only to administrators.

Critical

6.8.14, 6.9.3, 6.10.4

Under certain circumstances, an unauthorized user may be able to send malformed REST API calls to Artifactory that execute under the identity of another user.

Critical

  • 5.6.8, 5.7.3, 5.8.12, 5.9.8, 5.10.5, 5.11.5

  • 6.0.4, 6.1.4, 6.2.1, 6.3.4, 6.4.2, 6.5.9

A SAML-related authentication vulnerability potentially exposed Artifactory to XSW attacks which could sniff and manipulate SAML communications causing the incorrect verification of a SAML login response. This could potentially allow the attacker to gain access to any user in Artifactory.

High

6.5.13