how-to Archives

SHARE:

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

September 07, 2021

JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability in HAProxy, a widely used open-source load balancer proxy server that is particularly suited for very high traffic web sites …

TensorFlow Python code injection 203x148

SHARE:

TensorFlow Python Code Injection: More eval() Woes

November 16, 2021

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with TensorFlow, a popular Machine Learning platform that’s widely used in the industry. The issue has been assigned to CVE-2021-41228. Read more about our previous, similar disclosure in Yamale in our previous blog post. The …

JFrog Advanced Security - 1 Secrets Detection - The full report

SHARE:

JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report

November 08, 2022

Note: This report was previously published in InfoWorld When developing the recently announced JFrog Advanced Security, our Research team decided to try out its new “Secrets Detection” feature. Our goal was to test our vulnerability detection on as much real world data as possible, to make sure we eliminate false positives and catch any bugs …

SHARE:

Combine Copilot and JFrog Artifactory for Maximum Efficiency

August 07, 2023

Writing clean and efficient code can be time consuming, but with the right tools, it can be much easier. In this blog post, we will explore how to use Copilot for code autocompletion and JFrog Artifactory for your package management. What is Copilot? GitHub Copilot is an AI-powered code auto completion tool developed by OpenAI …

Contextual Analysis Scans with JFrog CLI

SHARE:

Don’t waste time on irrelevant false positive alerts in your source code

July 04, 2023

Are you tired of using security tools that generate endless results, making it impossible to identify actual risks? Do you struggle with inefficient prioritization due to a lack of context, making the process of assessing and remediating vulnerabilities a time-consuming nightmare? Look no further than JFrog’s Contextual Analysis, available as part of the “jf audit” …

SHARE:

New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication

April 24, 2023

The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for …

JAS Contextual Analysis WebGoat Application

SHARE:

Testing the actual security of the most insecure Docker application

February 28, 2023

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat – a deliberately insecure application. The results identified that …

SHARE:

Watch out for DoS when using Rust’s popular Hyper package

January 05, 2023

The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain. As part of this effort, we recently discovered and disclosed multiple vulnerabilities in popular Rust projects such as Axum, Salvo and …

SHARE:

Latest LastPass security breach highlights developers as a high-value target

December 29, 2022

Last August, the maintainers of the LastPass cloud-based password manager tool reported a security breach in their servers. The disclosure maintained that an unauthorized party gained access to the LastPass development environment through a single compromised developer account. However – while source code and technical information was stolen, no user data was compromised and no …

PyPI malware are starting to employ Anti-Debug techniques

SHARE:

PyPI malware creators are starting to employ Anti-Debug techniques

December 13, 2022

The JFrog Security Research team continuously monitors popular open-source software (OSS) repositories with our automated tooling, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Most PyPI malware today tries to avoid static detection using various techniques: starting from primitive variable mangling to sophisticated code flattening and steganography techniques. …

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

TensorFlow Python Code Injection: More eval() Woes

JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report

Combine Copilot and JFrog Artifactory for Maximum Efficiency

Don’t waste time on irrelevant false positive alerts in your source code

New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication

Testing the actual security of the most insecure Docker application

Watch out for DoS when using Rust’s popular Hyper package

Latest LastPass security breach highlights developers as a high-value target

PyPI malware creators are starting to employ Anti-Debug techniques

Popular Tags