Welcome to the JFrog Blog

Latest from Xray :

GitHub and JFrog Partner To Unify Code and Binaries for DevSecOps

May 29, 2024 Thomas Dohmke, GitHub CEO Shlomi Ben Haim, JFrog CEO and Co-Founder

5 min read

Note: This post is co-authored by JFrog and GitHub and has also been published on the GitHub blog As the volume of code continues to grow exponentially, software developers, DevOps engineers, operations teams, security specialists, and everyone else who touches code are increasingly spending their time in the weeds of securing, delivering, and scaling software.…

Read More
CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability

CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability

June 14, 2022 Uriya Yavnieli | 11 min read

A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson…
Read More
Denial of Service Vulnerability in Envoy Proxy – CVE-2022-29225

Denial of Service Vulnerability in Envoy Proxy – CVE-2022-29225

June 9, 2022 Ori Hollander, JFrog Security Research | 4 min read

The JFrog Security Research team is constantly looking for new and previously unknown software vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a denial of service (DoS) vulnerability in Envoy Proxy, a widely used open-source edge and service proxy server, designed for cloud-native applications…
Read More
Npm Package Hijacking Through Domain Takeover: How Bad is this “New” Attack?

Npm Package Hijacking Through Domain Takeover: How Bad is this “New” Attack?

May 24, 2022 Andrey Polkovnychenko and Shachar Menashe | 11 min read

When relying on a 3rd-party package from a non-commercial entity, there is always the risk of lack of support, especially when it comes to outdated packages and versions. If the package stops being maintained, nobody will implement a new feature we might need or fix a newly-discovered security vulnerability. Consider, for example, CVE-2019-17571. A critical…
Read More
JFrog & Industry Leaders Join White House Summit on Open Source Software Security

JFrog & Industry Leaders Join White House Summit on Open Source Software Security

May 18, 2022 Stephen Chin, VP of Developer Relations, JFrog | 6 min read

There’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked nearly 20 different open source software supply chain attacks – two of which were zero day threats. This steady barrage of vulnerabilities and malicious packages is driving…
Read More
How to Prevent the Next Log4j Style Zero-Day Vulnerability

How to Prevent the Next Log4j Style Zero-Day Vulnerability

May 17, 2022 Asaf Karas, Oren Ish-Shalom, Ilya Khivrich | 8 min read

Note: This blog post was previously published on Dark Reading Software testing is notoriously hard. Search Google for CVEs caused by basic CRLF (newline character) issues and you’ll see thousands of entries. Humanity has been able to put a man on the moon, but it hasn’t yet found a proper way to handle line endings…
Read More
Scan your software packages for security vulnerabilities with JFrog Xray

Scan your software packages for security vulnerabilities with JFrog Xray

May 17, 2022 Robi Nino and Michael Sverdlov | 4 min read

Scanning your packages for security vulnerabilities and license violations with SCA Tools should be done as early as possible in your SDLC, and the earlier the better. This concept is also known as “Shifting Left”, which helps your organization comply with security policies and standards early on in the software development process. As developers, this…
Read More
Npm Supply Chain Attack Targets Germany-based Companies with Dangerous Backdoor Malware

Npm Supply Chain Attack Targets Germany-based Companies with Dangerous Backdoor Malware

May 10, 2022 Andrey Polkovnychenko and Shachar Menashe | 9 min read

Update May 11th: Following the publication of this blog post, a penetration testing company called "Code White" took responsibility for this dependency confusion attack The JFrog Security research team constantly monitors the npm and PyPI ecosystems for malicious packages that may lead to widespread software supply chain attacks. Last month, we shared a widespread npm…
Read More
DevSecOps 101 Webinar Series

DevSecOps 101 Webinar Series

April 28, 2022 JFrog Team | 2 min read

Security should be embedded into the DevOps workflow by default, but for many organizations, it isn't. Enter "DevSecOps". What is DevSecOps? It is a practice to build more secure applications, secure the software supply chain, and secure cloud and on-prem workloads. It is an essential practice that needs visibility. Our new “DevSecOps 101” webinar series…
Read More
CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability

CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability

April 21, 2022 Brian Moussalli, JFrog Security Research Team | 5 min read

A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or "Psychic Signatures". This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15. This vulnerability allows an attacker to potentially intercept communication…
Read More

Popular Tags