Welcome to the JFrog Blog

Latest:

CVE-2024-6197 Curl and Libcurl: Use-after-Free on the Stack

December 18, 2024 Ben Gross, Security Researcher Yair Mizrahi, JFrog Security Research Team Leader

12 min read

On July 24th 2024, Curl maintainers announced a new stack buffer Use After Free (UAF) vulnerability - CVE-2024-6197. This type of vulnerability is very uncommon since UAF issues usually occur on the heap and not on the stack. While the vulnerability can be easily exploited for causing denial of service, in this blog we will…

Read More

All Blogs

Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats

Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats

December 4, 2024 Shachar Menashe, JFrog VP Security Research Or Peles, JFrog Vulnerability Research Team Leader Ori Hollander, JFrog Security Researcher Uriya Yavnieli, JFrog Security Researcher | 15 min read

In our previous blog post in this series we showed how the immaturity of the Machine Learning (ML) field allowed our team to discover and disclose 22 unique software vulnerabilities in ML-related projects, and we analyzed some of these vulnerabilities that allowed attackers to exploit various ML services. In this post, we will again dive…
Read More
CVE-2024-10524 Wget Zero Day Vulnerability

CVE-2024-10524 Wget Zero Day Vulnerability

November 18, 2024 Goni Golan, Junior Security Researcher, JFrog Security | 8 min read

While researching CVE-2024-38428 in GNU’s Wget, our team found a new 0-day vulnerability. The vulnerability, later assigned CVE-2024-10524, may lead to various types of attacks - including phishing, SSRF, and MiTM. These attacks can have severe consequences such as resource restriction bypass and sensitive information exposure. Upon discovering this vulnerability, our team responsibly disclosed it…
Read More
Machine Learning Bug Bonanza – Exploiting ML Services

Machine Learning Bug Bonanza – Exploiting ML Services

November 4, 2024 Shachar Menashe, JFrog VP Security Research Or Peles, JFrog Vulnerability Research Team Leader Natan Nehorai, JFrog Application Security Researcher Ori Hollander, JFrog Security Researcher Uriya Yavnieli, JFrog Security Researcher | 18 min read

JFrog’s security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. In our previous research on MLOps we noted the immaturity of the Machine Learning (ML) field often results in a higher amount of discovered…
Read More
swampUP Recap: “EveryOps” is Trending as a Software Development Requirement

swampUP Recap: “EveryOps” is Trending as a Software Development Requirement

October 23, 2024 The JFrog Team | 6 min read

swampUP 2024, the annual JFrog DevOps Conference, was unique in it’s addressing not only more familiar DevOps and DevSecOps issues, but adding specific operational challenges, stemming from the explosive growth of GenAI and the resulting need for specialized capabilities for handling AI models and datasets, while supporting new personae such as AI/ML engineers, data scientists…
Read More
Mitigating Image Integrity Violations: A Real-World Example in Runtime Environments

Mitigating Image Integrity Violations: A Real-World Example in Runtime Environments

October 17, 2024 Asaf Ezra, R&D Group Leader, JFrog Ariel Antoni, Senior Product Manager, JFrog | 9 min read

In the never-ending quest to speed up software release cycles, ensuring the security and integrity of application artifacts has never been more critical. As applications are continuously built, tested, and deployed, every element of the software pipeline—from source code to container images—needs to be trusted and verifiable. A key aspect of maintaining this trust is…
Read More
JFrog Discloses 3 Remote Access Trojans in PyPI

JFrog Discloses 3 Remote Access Trojans in PyPI

February 14, 2022 Andrey Polkovnychenko and Shachar Menashe | 4 min read

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to detect and avert potential software supply chain security threats. After validating the findings, the team reports any security vulnerabilities or malicious packages discovered to repository maintainers and the wider community. We have previously shared details on our…
Read More
Unix CUPS Unauthenticated RCE Zero-Day Vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177): All you need to know

Unix CUPS Unauthenticated RCE Zero-Day Vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177): All you need to know

September 27, 2024 Shachar Menashe, JFrog VP Security Research Yair Mizrahi , JFrog Security Research Team Leader | 7 min read

On September 23rd, Twitter user Simone Margaritelli (@evilsocket) announced that he has discovered and privately disclosed a CVSS 9.9 GNU/Linux unauthenticated RCE, which affects almost all Linux distributions, and that the public disclosure will happen on September 30th, Due to a suspected leak in the disclosure process, @evilsocket decided to advance the disclosure, and on…
Read More
JFrog Unveils First Runtime Security Solution to Deliver Complete Software Integrity and Lineage from Code to Cloud

JFrog Unveils First Runtime Security Solution to Deliver Complete Software Integrity and Lineage from Code to Cloud

September 10, 2024 Asaf Karas, CTO Security, JFrog | 5 min read

When it comes to software supply chain security, we all do everything we can to prevent insecure software from being released into production. Hence we see software supply chain security shifting left to discover potential threats as early as possible in the software development lifecycle. But what happens when vulnerabilities are only discovered after an…
Read More
Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk

Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk

September 4, 2024 Andrey Polkovnichenko, JFrog Security Researcher Brian Moussalli, JFrog Malware Research Team Leader | 18 min read

JFrog's security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. This blog details a PyPI supply chain attack technique the JFrog research team discovered had been recently exploited in the wild. This attack technique…
Read More
From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms

From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms

August 20, 2024 Ori Hollander, JFrog Security Researcher Shachar Menashe, JFrog VP Security Research Natan Nehorai, JFrog Application Security Researcher Uriya Yavnieli, JFrog Security Researcher | 26 min read

NOTE: This research was recently presented at Black Hat USA 2024, under the title “From MLOps to MLOops - Exposing the Attack Surface of Machine Learning Platforms”. The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational…
Read More

Popular Tags