Distribution Fixed Security Vulnerabilities

Fixed security vulnerabilities for JFrog Distribution are described in the following topics.

CVEs Impacting Distribution

The following is a list of CVEs that impact Distribution.

CVE	Severity	Distribution Fix Version	Fix Description
CVE-2025-49844	High	TBD	Package being upgraded. CVE requires an authenticated user to be exploited
CVE-2025-48924	Medium	2.33.0	Upgraded Apache Commons Lang to a fixed version.
CVE-2025-48988	High	2.31.2	Upgraded Apache Tomcat to a fixed version.
CVE-2025-46701	High	2.31.1	Upgraded Apache Tomcat to a fixed version.
CVE-2025-24813	Critical	2.30.0	Upgraded Apache Tomcat to a fixed version.
CVE-2024-50379	High	2.29.1	Upgraded Apache Tomcat to a fixed version.
CVE-2024-45338	High	2.29.1	Upgraded Golang to a fixed version.
CVE-2024-38827	Medium	2.29.1	Upgraded Spring Security to a fixed version.
CVE-2024-12798 CVE-2024-12801	Medium	2.29.1	Upgraded logback-core to a fixed version.
CVE-2024-38996	High	2.28.1	Upgraded ag-grid-community and ag-grid-enterprise due to a prototype pollution via the _.mergeDeep function.
CVE-2023-50387 CVE-2023-50868 CVE-2024-25638	High	2.27.2	Upgraded java_commons to a fixed version.
CVE-2024-39321	High	2.27.2	Upgraded Traefik to a fixed version due to a vulnerability that allows the bypassing of IP allow-lists.
CVE-2204-30172	Medium	2.26.1	Upgraded Bouncy Castle to a fixed version because of an issue discovered in Java Cryptography APIs.
CVE-2024-30171	Medium	2.26.1	Upgraded Bouncy Castle to a fixed version because of an issue discovered in Java TLS API and JSSE Provider.
CVE-2024-29857	Medium	2.26.1	Upgraded Bouncy Castle to a fixed version because of an issue discovered in ECCurve.java and ECCurve.cs.
CVE-2024-22259	High	2.24.0	Upgraded Spring Framework to a fixed version.
CVE-2024-1597	Critical	2.23.0	Upgraded pgjdbc to a fixed version.
CVE-2024-22233	High	2.23.0	Upgraded Spring Framework to a fixed version.
CVE-2024-22243	High	2.23.0	Upgraded UriComponentsBuilder to a fixed version.
CVE-2024-26308 CVE-2024-25710	Medium	2.23.0	Upgraded Apache Commons Compress to a fixed version.
CVE-2023-50570	Medium	2.23.0	Upgraded IPAddress to a fixed version.
CVE-2023-47633	High	2.22.1	Upgraded Traefik to a fixed version.
CVE-2023-46589	High	2.22.1	Upgraded Apache Tomcat to a fixed version.
CVE-2023-6378	High	2.22.1	Upgraded logback to a fixed version.
CVE-2023-4586	High	2.21.3	Upgraded the Hot Rod client to a fixed version.
CVE-2023-35116	Medium	2.21.3	Upgraded jackson-databind to a fixed version.
CVE-2023-41080	Medium	2.21.3	Upgraded Apache Tomcat to a fixed version.
CVE-2023-34035	Medium	2.21.3	Upgraded Spring Framework to a fixed version.
CVE-2022-48345	Medium	2.19.1	Upgraded sanitize-url to a fixed version.

CVEs Not Impacting Distribution

The following is a list of CVEs that do not impact Distribution.

CVE	Severity	Distribution Fix Version	Reason
CVE-2025-53864	Medium	2.33.0	Upgraded Connect2id Nimbus JOSE + JWT to a fixed version.
CVE-2025-31651	Critical	2.30.1	Upgraded Apache Tomcat to a fixed version.
CVE-2025-27820	High	2.30.1	Upgraded Apache HttpClient to a fixed version.
CVE-2025-25193	Medium	2.30.0	Upgraded Netty to a fixed version.
CVE-2025-24970 CVE-2024-47535	Medium	2.29.1	Upgraded Netty to a fixed version.
CVE-2021-23566	Medium	2.28.1	Upgraded nanoid to a fixed version.
CVE-2024-47554	High	2.28.1	Does not affect Distribution as the vulnerable `commons` functionality is not in use.
CVE-2024-47535	Medium	2.28.1	Upgraded Netty to a fixed version.
CVE-2024-38821	Critical	2.28.1	Upgraded Spring Security to a fixed version.
CVE-2024-38820	Medium	2.28.1	Upgraded DataBinder to a fixed version.
CVE-2024-38819	High	2.28.1	Upgraded Spring Framework to a fixed version due to a vulnerability to path traversal attacks.
CVE-2024-7254	High	2.28.1	Upgraded Protobuf to a fixed version.
CVE-2024-38816	High	2.27.2	Upgraded Spring Framework to a fixed version due to a vulnerability to path traversal attacks.
CVE-2024-24790	Critical	2.27.2	Upgraded observability to a fixed version.
CVE-2024-21634	High	2.26.1	Upgraded Amazon Ion to a fixed version.
CVE-2024-22262	High	2.25.1	Upgraded Spring Framework to a fixed version.
CVE-2023-33202	Medium	2.24.0	Upgraded Bouncy Castle to a fixed version.
CVE-2024-29025	Medium	2.24.0	Upgraded Netty to a fixed version.
CVE-2204-22257	High	2.24.0	Upgraded Spring Security to a fixed version.
CVE-2023-34462	Medium	2.21.3	Upgraded netty-handler to a fixed version.
CVE-2023-44487	High	2.21.3	Upgraded netty-codec-http2 to a fixed version.
CVE-2023-34462	Medium	2.20.2	Upgraded Netty to a fixed version.
CVE-2023-2976	High	2.20.1	Upgraded Google Guava to a fixed version.
CVE-2023-34104	High	2.19.1	Upgraded fast-xml-parser to a fixed version.
CVE-2023-20859	Medium	2.19.1	Upgraded Spring Vault core to a fixed version.
CVE-2023-1370	High	2.18.1	Upgraded to a fixed version.
CVE-2022-1471	Medium	2.18.1	Upgraded the SnakeYAML library to a fixed version.
CVE-2023-20873	Critical	2.18.1	Upgraded Spring Boot to a fixed version.
CVE-2023-20863	Medium	2.18.1	Upgraded Spring Framework to a fixed version.
CVE-2023-20862	Critical	2.18.1	Upgraded Spring Security to a fixed version.
CVE-2023-20860	High	2.18.1	Upgraded to a fixed version.
CVE-2022-45868	High	N/A	This dependency is used in the development process only and does not impact the final product.
CVE-2022-41915	Medium	N/A	Upgraded to a fixed version.
CVE-2022-45143	High	N/A	Distribution doesn’t use the API related to this vulnerability.
CVE-2022-38900	High	N/A	Updated the UI common library.
CVE-2022-21222	High	N/A	This dependency is used in the development process only and is not included in the final product deployment.
CVE-2022-45143	High	N/A	Distribution does not use the vulnerable API.
CVE-2022-41946	Medium	N/A	Updating the drivers to 42.5.1 fixed the vulnerability.
CVE-2022-42889	Critical	N/A	Upgraded to a fixed version, although Distribution does not use the vulnerable API.
CVE-2022-31692	Critical	N/A	Upgraded to a fixed version.
CVE-2022-3171	High	N/A	Upgraded to a fixed version.
CVE-2022-42004	High	N/A	Upgraded to a fixed version.
CVE-2022-38750	Medium	N/A	Upgraded to a fixed version.
CVE-2022-38749	Medium	N/A	Upgraded to a fixed version.
CVE-2022-1471	Critical	N/A	Does not affect Distribution since Distribution does not use the potentially-harmful constructor.
CVE-2022-42252	High	N/A	Does not affect Distribution since the product uses Tomcat version 9.0.58 and doesn’t redefine `rejectIllegalHeader`, so its effective value is “true“ (default).
CVE-2016-1000027	Critical	N/A	Does not affect Distribution since Distribution is not using the vulnerable API.
CVE-2022-22978	High	N/A	Upgraded `spring-security-web` to version 5.7.0.
CVE-2022-22968	Medium	N/A	Upgraded `spring-context` to version 5.3.21.
CVE-2022-22970	Medium	N/A	Upgraded `spring-beans` to version 5.3.21.
CVE-2021-21309	Critical	N/A	Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system.
CVE-2022-24785	High	2.12.3	`Moment.js` is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of `Moment.js` between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to `Moment.js`.
CVE-2022-21724	Medium	2.12.0	`pgjdbc`, the official `PostgreSQL JDBC` Driver, has been upgraded to version 42.2.25.
CVE-2021-42550	Medium	2.11.0	Upgraded the `logback.xml` to version 1.2.9.
CVE-2022-24823	Medium	N/A	Does not affect Distribution, since the vulnerability only impacts applications running on Java version 6 and lower.