security-research Archives

SHARE:

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 2 of 2

January 24, 2024

The JFrog Security research team has recently discovered two security vulnerabilities in X.Org libX11, the widely popular graphics library – CVE-2023-43786 and CVE-2023-43787 (with a high NVD severity CVSS 7.8). These vulnerabilities cause a denial-of-service and remote code execution. X11’s latest versions contain fixes for these vulnerabilities. The team constantly monitors open-source projects to find …

SHARE:

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 1 of 2

January 17, 2024

The JFrog Security research team has recently discovered two security vulnerabilities in X.Org libX11, the widely popular graphics library – CVE-2023-43786 and CVE-2023-43787 (with a high NVD severity CVSS 7.8). These vulnerabilities cause a denial-of-service and remote code execution. X11’s latest versions contain fixes for these vulnerabilities. The team constantly monitors open-source projects to find …

SHARE:

Top JFrog Security Research Blogs of the Year

January 12, 2024

With over 29,000 CVEs and 5.5 billion malware attacks recorded in the past year, it’s no wonder that software supply chain security is a top priority for enterprise developers on a global scale. That is also why JFrog Security Research has been instrumental in identifying and analyzing the biggest threats and devising methods to protect …

SHARE:

SSH protocol flaw – Terrapin Attack CVE-2023-48795: All you need to know

December 25, 2023

The SSH Terrapin attack (CVE-2023-48795) has recently caught attention, targeting the SSH protocol security by truncating cryptographic information. The inherent flaw in the SSH protocol itself affects a wide range of SSH client and server implementations. Following our initial research communication, this post will detail its fundamentals and impact. Affected Implementations Terrapin Attack Exploitation Impacts …

dome over boxes to show security over software packages

SHARE:

N-Day Hijack: Analyzing the lifespan of package hijacking attacks

December 14, 2023

Software package hijacking has become a prominent concern for individuals, businesses, and the cybersecurity community at large. We’ve seen this new threat trend rise over the past couple of years, with the potential to severely impact the software supply chain by attackers exploiting software packages to execute malicious code. This blog post details a case …

SHARE:

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

September 07, 2021

JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability in HAProxy, a widely used open-source load balancer proxy server that is particularly suited for very high traffic web sites …

SHARE:

Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution

March 12, 2025

Update: This issue was discovered and disclosed independently to Keras by JFrog’s research team and Peng Zhou. Machine learning frameworks often rely on serialization and deserialization mechanisms to store and load models. However, improper code isolation and executable components in the models can lead to severe security risks. The structure of the Keras v3 ML Model …

SHARE:

Arbitrary File Creation vulnerability in plexus-archiver – CVE-2023-37460

October 24, 2023

The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered a new security vulnerability in plexus-archiver, an archive creation and extraction package. plexus-archiver is used in …

SHARE:

CVE-2023-38545 & CVE-2023-38546 Curl and libcurl Vulnerabilities: All you need to know

October 10, 2023

Update – October 11, 2023: This blog has been updated to include all the details that have been published about the vulnerabilities. On Wednesday, October 4th 2023, Daniel Stenberg, one of Curl’s core maintainers announced that a forthcoming release of Curl, version 8.4.0, is scheduled to be available on October 11th 2023 at approximately 06:00 …

SHARE:

Spring WebFlux – CVE-2023-34034 – Write-Up and Proof-of-Concept

August 08, 2023

Spring Security’s newly released versions contain a fix for a broken access control vulnerability – CVE-2023-34034 – which was given a critical NVD severity (CVSS 9.8) and a high severity by Spring’s maintainers. Given the severe potential impact of the vulnerability on Spring WebFlux applications (that use Spring Security for authentication and access control), its …

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 2 of 2

*nix libX11: Uncovering and exploiting a 35-year-old vulnerability – Part 1 of 2

Top JFrog Security Research Blogs of the Year

SSH protocol flaw – Terrapin Attack CVE-2023-48795: All you need to know

N-Day Hijack: Analyzing the lifespan of package hijacking attacks

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution

Arbitrary File Creation vulnerability in plexus-archiver – CVE-2023-37460

CVE-2023-38545 & CVE-2023-38546 Curl and libcurl Vulnerabilities: All you need to know

Spring WebFlux – CVE-2023-34034 – Write-Up and Proof-of-Concept

Popular Tags