JFrog Security Fixed Security Vulnerabilities

CVEs Impacting Xray

The following is a list of CVEs that were discovered to impact Xray and were fixed.

CVE	Severity	Xray Fix Version	Fix Description
CVE-2022-31030	Medium	3.60.2	Upgraded `github.com/containerd/containerd` version to 1.5.13.
CVE-2022-28948	High	3.60.2	Upgraded `gopkg.in/yaml.v3:3.0.0-20200313102051` version to gopkg.in/yaml.v3:3.0.1.
CVE-2022-27664	High	3.60.2 3.61.5	Upgraded `golang.org/x/net v0.0.0-20220722155237` to golang.org/x/net version 0.1.0 Upgraded `golang.org/x/sys v0.0.0-20220722155237` to golang.org/x/sys v0.1.0 Upgraded `golang.org/x/net v0.3.7` to golang.org/x/text v0.4.0.
CVE-2022-32149	High	3.60.2	Upgraded from 0.3.7 to 0.3.8.
CVE-2022-32189	High	3.59.4	Upgraded `Golang` version to 1.18.5.
CVE-2021-38197	Critical	3.57.6	Upgraded `go-unarr` library to version v0.1.4.
CVE-2022-29526	Medium	3.55.2	Upgraded `Golang` version to 1.18.4.
CVE-2022-30634	High	3.55.2	Upgraded `Golang` version to 1.18.4.
CVE-2022-30632	High	3.55.2	Upgraded `Golang` version to 1.18.4.
CVE-2022-30630	High	3.55.2	Upgraded `Golang` version to 1.18.4.
CVE-2022-30631	High	3.55.2	Upgraded `Golang` version to 1.18.4.
CVE-2022-24769	Medium	3.54.5	Upgraded `Containerd` version to 1.5.11.
CVE-2022-29526	Medium	3.54.5	Upgraded to `Golang` version to 1.17.11.
CVE-2022-23806	Critical	3.50.3	Upgraded JFrog router version to 7.39.0.
CVE-2022-27191	High	3.49.0	Upgraded `golang.org/x/crypto`to v0.0.0-20220314234659-1baeb1ce4c0.
CVE-2022-24675	High	3.48.2	Upgraded `Golang` version to 1.17.9.
CVE-2022-24921	High	3.48.2	Upgraded `Golang` version to 1.17.9.
CVE-2021-43816	Critical	3.42.3	Upgraded `Containerd` version to 1.5.9.
CVE-2021-44717	Medium	3.41.4	Upgraded `Golang` version to 1.17.5.
CVE-2021-44716	High	3.41.4	Upgraded `Golang` version to 1.17.5.
CVE-2021-41771	High	3.38.1	Upgraded `Golang` version to 1.17.3.
CVE-2021-33196	High	3.34.1	Upgraded `Golang` version to 1.15.13, 1.16.5.

CVEs Not Impacting Xray

The following is a list of CVEs that do not impact Xray.

CVE	Severity	Xray Fix Version	Fix Description
CVE-2021-38197	Critical	3.57.6	Upgraded `go-unarr` library to version v0.1.4.
CVE-2025-22871	Critical	3.103.x and up	Not applicable. The vulnerable functions `(net/http.ListenAndServe`, `net/http.ListenAndServeTLS`, `net/http.Serve`, `net/http.ServeTLS`, `net/http.Server.ListenAndServe`, `net/http.Server.ListenAndServeTLS`, `net/http.Server.Serve` ) are never called. The Xray application does not utilize the affected functions, making exploitation impossible.
CVE-2024-34156	High	3.103.x and up	Not applicable. The vulnerable functions (`encoding/gob/Decoder.Decode`, `encoding/gob/Decoder.DecodeValue`) are never called. The Xray application does not utilize the affected functions, making exploitation impossible.
CVE-2019-17543	Medium	3.103.x and up	Not applicable. The vulnerability is only applicable if one of the vulnerable functions (`LZ4_compress`, `LZ4_compress_limitedOutput`, `LZ4_compress_default`, `LZ4_compress_fast`) is called. The Xray application does not utilize the affected functions, making exploitation impossible.
CVE-2024-10979	High	3.107.x and up	Not applicable. The vulnerable PostgreSQL application is not compiled with `perl` extension (plperl).
CVE-2024-34158	High	3.107.x and up	Not applicable. The vulnerable function `go/build/constraint.Parse`is never called. The Xray application does not utilize the affected function, making exploitation impossible