Welcome to the JFrog Blog

Latest from Xray :

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

May 30, 2024 Batel Zohar, JFrog Developer Advocate Carmit Hershman, JFrog Senior Software Architect, CTO Office

8 min read

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects. This integration covers everything from curating open source packages, coding, CI, release management, deployment and…

Read More
CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

April 18, 2022 David Cohen | 4 min read

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in…
Read More
Secure your git repository with Frogbot the git bot

Secure your git repository with Frogbot the git bot

April 7, 2022 Eyal Ben Moshe | 3 min read

Introducing the newest member of the JFrog ecosystem team - Frogbot. This new git bot tool works for you by protecting your git projects, as they are being developed, from security vulnerabilities. Register for my talk “Bots to Protect your Source Code” swampUP 2022 How does Frogbot work? The concept is simple. Frogbot scans every…
Read More
Your SpringShell (Spring4Shell) Remediation Cookbook Using the JFrog Platform

Your SpringShell (Spring4Shell) Remediation Cookbook Using the JFrog Platform

April 1, 2022 Asaf Cohen and Boaz Blankman, JFrog Security Research Team | 11 min read

A new zero-day exploit in the spring-web package called "SpringShell" (nicknamed “Spring4Shell”) was just leaked and is threatening the internet and the community. The JFrog security research team is investigating the exploit and continuously updating our blog post with technical details on the SpringShell (Spring4Shell) vulnerability.  In this technical blog post, we explain how you…
Read More
Large-scale npm attack targets Azure developers with malicious packages

Large-scale npm attack targets Azure developers with malicious packages

March 23, 2022 Andrey Polkovnychenko and Shachar Menashe | 8 min read

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Two days ago, several of our automated analyzers started alerting on a set of packages…
Read More
Diving into CVE-2022-23943 – a new Apache memory corruption vulnerability

Diving into CVE-2022-23943 – a new Apache memory corruption vulnerability

March 17, 2022 Brian Moussalli | 7 min read

A few days ago it was reported that the new Apache version 2.4.53 contains fixes for several bugs which exposed the users of the well known HTTP server to attacks: CVE-2022-22719 relates to a bug in the mod_lua modules which may lead to Denial of Service after reading from a random memory Area, CVE-2022-22720 exposes…
Read More
Shift Left for DevSecOps Success

Shift Left for DevSecOps Success

March 10, 2022 Bill Manning, Solutions Architect / Engineering Manager, JFrog | 7 min read

Not long ago, developers built applications with little awareness about security and compliance. Checking for vulnerabilities, misconfigurations and policy violations wasn’t their job. After creating a fully-functional application, they’d throw it over the proverbial fence, and a security team would evaluate it at some point – or maybe never. Those days are gone – due…
Read More
7 RCE and DoS vulnerabilities Found in ClickHouse DBMS

7 RCE and DoS vulnerabilities Found in ClickHouse DBMS

March 15, 2022 Uriya Yavnieli and Or Peles | 10 min read

The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered seven new security vulnerabilities in ClickHouse, a widely used open-source Database Management System (DBMS) dedicated to…
Read More
DirtyPipe (CVE-2022-0847) – the new DirtyCoW?

DirtyPipe (CVE-2022-0847) – the new DirtyCoW?

March 9, 2022 Itay Vaknin | 6 min read

A few days ago, security researcher Max Kellermann published a vulnerability named DirtyPipe which was designated as CVE-2022-0847. This vulnerability affects the Linux kernel and if exploited, can allow a local attacker to gain root privileges. The vulnerability gained extensive media follow-up, since it affects all Linux-based systems with a 5.8 or later kernel, without…
Read More
Customizing the JFrog Xray Horizontal Pod Autoscaler

Customizing the JFrog Xray Horizontal Pod Autoscaler

February 24, 2022 Joey Naor, Developer Support Engineer at JFrog | 5 min read

In cloud native computing (Kubernetes in our case), there is a requirement to automatically scale the compute resources used for performing a task. The autoscaling cloud computer strategy allows to dynamically adjust the active number of application servers and allocated resources instead of responding manually in real-time to traffic surges that necessitate more resources and…
Read More
JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

March 1, 2022 Uriya Yavniely | 6 min read

Update 03/03/22 - Added clarification about vulnerable applications JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By…
Read More

Popular Tags