Hello There,

The latest version of the Artifactory Plugin (3.17.2) uses an older version of netty. These older version of netty have security vulnerabilities including:

• CVE-2022-24823

• CVE-2021-43797

This also gets picked up as XRAY-179837 in JFrog XRay. Because it gets picked up by XRay this prevents me from deploying a Jenkins container image that includes the Artifactory plugin because our pipeline blocks the critical vulnerability.

It gets picked up because the pom includes the following dependency:

<dependency>
            <groupId>org.mock-server</groupId>
            <artifactId>mockserver-netty</artifactId>
            <version>5.10.0</version>
            <scope>test</scope>
</dependency> 

https://github.com/jenkinsci/artifactory-plugin/blob/master/pom.xml#L560

And then this includes netty:

<netty.version>4.1.47.Final</netty.version> 

https://github.com/mock-server/mockserver/blob/mockserver-5.10.0/pom.xml#L61

I'd imagine the fix would be to just use a newer version of mock server. Since the latest version of mock server does not contain the vulnerable version.

Even though it is under the test scope, this still blocks me from deploying it since it gets picked up by XRay during the scanning step of the docker image that I am packaging Jenkins into.

The fix of netty is documented here which also highlights why this package should be upgraded: https://github.com/netty/netty/pull/11429