Back
Uriya Yavnieli

Uriya Yavnieli

JFrog Security Researcher

Uriya is a Security Researcher at JFrog’s vulnerability research team, where he specializes in low-level research and vulnerability discovery automations. Before joining Vdoo and JFrog, Uriya was a Security Researcher at Cyberbit, bringing experience from previous roles in R&D in the tech unit of the Israeli Defense Force.

The Latest From Uriya Yavnieli

  • Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats
    | 15 min read

    In our previous blog post in this series we showed how the immaturity of the Machine Learning (ML) field allowed our team to discover and disclose 22 unique software vulnerabilities in ML-related projects, and we analyzed some of these vulnerabilities that allowed attackers to exploit various ML services. In this post, we will again dive…

    Read More  

  • Machine Learning Bug Bonanza – Exploiting ML Services
    | 18 min read

    JFrog’s security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. In our previous research on MLOps we noted the immaturity of the Machine Learning (ML) field often results in a higher amount of discovered…

    Read More  

  • From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms
    | 26 min read

    NOTE: This research was recently presented at Black Hat USA 2024, under the title “From MLOps to MLOops - Exposing the Attack Surface of Machine Learning Platforms”. The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational…

    Read More  

  • Arbitrary File Creation vulnerability in plexus-archiver – CVE-2023-37460
    | 7 min read

    The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered a new security vulnerability in plexus-archiver, an archive creation and extraction package. plexus-archiver is used in…

    Read More  

  • CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability
    | 9 min read

    The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the…

    Read More  

  • SATisfying our way into remote code execution in the OPC UA industrial stack
    | 18 min read

    The JFrog Security team recently competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. One of our research targets for the competition was the Unified Automation C++-based OPC UA Server SDK. Other than the vulnerabilities we disclosed as part of the pwn2own competition, we managed to find and…

    Read More  

  • CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability
    | 11 min read

    A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson…

    Read More  

  • 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS
    | 10 min read

    The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered seven new security vulnerabilities in ClickHouse, a widely used open-source Database Management System (DBMS) dedicated to…

    Read More  

  • Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis
    | 13 min read

    On February 3rd 2021, we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module, a popular Wi-Fi card found in numerous connected devices such as home and industrial appliances. Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by…

    Read More  

  • Major Vulnerabilities Discovered and Patched in Realtek RTL8195A Wi-Fi Module
    | 12 min read

    In a recent supply chain security assessment, the JFrog security research team (formerly Vdoo) analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote…

    Read More