Welcome to the JFrog Blog

Latest from Xray :

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

May 30, 2024 Batel Zohar, JFrog Developer Advocate Carmit Hershman, JFrog Senior Software Architect, CTO Office

8 min read

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects. This integration covers everything from curating open source packages, coding, CI, release management, deployment and…

Read More
Xray: New Year, New Security Features

Xray: New Year, New Security Features

February 16, 2022 Paul Garden, JFrog Product Marketing Manager | 5 min read

As part of our ongoing efforts to offer you the most comprehensive and advanced SDLC protection capabilities, JFrog continues to boost the capabilities of our JFrog Xray security and compliance product. In this blog, we offer an overview of recent Xray improvements, all aimed at helping you fortify your software, reduce risk, scale security, streamline…
Read More
Malware Civil War – Malicious npm Packages Targeting Malware Authors

Malware Civil War – Malicious npm Packages Targeting Malware Authors

February 22, 2022 Andrey Polkovnychenko and Shachar Menashe | 6 min read

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any security vulnerability or malicious packages discovered to repository maintainers and the wider community. Most recently we disclosed 25 malicious packages in the npm repository that were picked up…
Read More
CVE-2021-44521: Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

CVE-2021-44521: Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

February 15, 2022 Omer Kaspi | 11 min read

JFrog’s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4). This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra. Cassandra is a highly scalable, distributed…
Read More
JFrog Discloses 3 Remote Access Trojans in PyPI

JFrog Discloses 3 Remote Access Trojans in PyPI

February 14, 2022 Andrey Polkovnychenko and Shachar Menashe | 4 min read

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to detect and avert potential software supply chain security threats. After validating the findings, the team reports any security vulnerabilities or malicious packages discovered to repository maintainers and the wider community. We have previously shared details on our…
Read More
JFrog Took Security to New Heights in 2021

JFrog Took Security to New Heights in 2021

February 9, 2022 Asaf Karas, JFrog Security CTO | 6 min read

With security now a critical “must have” for DevOps teams, JFrog significantly deepened and extended our platform’s already solid security capabilities in 2021. In this post, we’ll look back at our major advances last year – and look forward at what’s to come in 2022.  Our goal: To explain how we’re providing to our customers…
Read More
CVE-2021-44142: Critical Samba Vulnerability Allows Remote Code Execution

CVE-2021-44142: Critical Samba Vulnerability Allows Remote Code Execution

February 8, 2022 Itay Vaknin, Brian Moussalli | 9 min read

Recently, a critical out-of-bounds vulnerability, assigned to CVE-2021-44142, was disclosed in Samba versions prior to 4.13.17. The Samba vulnerability carries a critical CVSS of 9.9 and allows attackers to remotely execute code on machines running a Samba server with a vulnerable configuration. The vulnerability was disclosed as part of the Pwn2Own Austin competition where researchers…
Read More
Mind Your Dependencies: Defending against malicious npm packages

Mind Your Dependencies: Defending against malicious npm packages

January 25, 2022 Ilya Khivrich | 6 min read

Modern software projects are mostly composed of open source code. The question of who really controls this code, and is responsible for detecting and fixing software supply chain security issues, became a significant source of concern after the discovery of the Log4Shell vulnerability. In a more recent development, the highly popular colors and faker npm…
Read More
No Internet? No Problem. Use Xray with an Air Gap – Part II

No Internet? No Problem. Use Xray with an Air Gap – Part II

January 19, 2022 Tal Yitzhak | 6 min read

With software supply chain attacks on the rise, implementing DevSecOps best practices in an air gapped environment is a must. In an effort to secure an organization’s internal network, there is an increasing trend of separating the internal network from the external one. Essentially creating an enclosed and disconnected environment from the public internet. An…
Read More
JFrog’s Best DevSecOps Blogs of 2021

JFrog’s Best DevSecOps Blogs of 2021

January 13, 2022 JFrog Team | 7 min read

Always a concern for DevOps teams, security has now become a critical part of developing and releasing software – a reality reflected on the sharp increase in JFrog blogs about DevSecOps. In fact, we generated so many hard-hitting and instructive blogs about security and compliance in 2021 that we decided our DevSecOps coverage deserved its…
Read More
The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console

The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console

January 6, 2022 Andrey Polkovnychenko and Shachar Menashe | 12 min read

Update 07/01/22 - Added credit to researcher @pyn3rd for similar independent previous findings in Acknowledgements section A short preamble Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE - CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability…
Read More

Popular Tags