Blog Home
5 Memory Corruption Vulnerabilities in PJSIP

JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library
March 01, 2022

Update 03/03/22 – Added clarification about vulnerable applications JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By …

Read More
JFrog Advanced Security - 1 Secrets Detection - The full report

JFrog’s security scanners discovered thousands of publicly exposed API tokens – and they’re active! The Full Report
November 08, 2022

Note: This report was previously published in InfoWorld When developing the recently announced JFrog Advanced Security, our Research team decided to try out its new “Secrets Detection” feature. Our goal was to test our vulnerability detection on as much real world data as possible, to make sure we eliminate false positives and catch any bugs …

Read More
Safe-mode_Thumbnail

Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution
March 12, 2025

Update: This issue was discovered and disclosed independently to Keras by JFrog’s research team and Peng Zhou. Machine learning frameworks often rely on serialization and deserialization mechanisms to store and load models. However, improper code isolation and executable components in the models can lead to severe security risks. The structure of the Keras v3 ML Model …

Read More
plexus-archiver - CVE-2023-37460

Arbitrary File Creation vulnerability in plexus-archiver – CVE-2023-37460
October 24, 2023

The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered a new security vulnerability in plexus-archiver, an archive creation and extraction package. plexus-archiver is used in …

Read More
Spring Security - CVE-2023-34034

Spring WebFlux – CVE-2023-34034 – Write-Up and Proof-of-Concept
August 08, 2023

Spring Security’s newly released versions contain a fix for a broken access control vulnerability – CVE-2023-34034 – which was given a critical NVD severity (CVSS 9.8) and a high severity by Spring’s maintainers. Given the severe potential impact of the vulnerability on Spring WebFlux applications (that use Spring Security for authentication and access control), its …

Read More

Analyzing Impala Stealer – Payload of the first NuGet attack campaign
April 10, 2023

Analyzing Impala Stealer – Payload of the first NuGet attack campaign In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET …

Read More
Open SSH Sandbox

Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis
March 14, 2023

The recent OpenSSH double-free vulnerability – CVE-2023-25136, created a lot of interest and confusion regarding OpenSSH’s custom security mechanisms – Sandbox and Privilege Separation. Until now, both of these security mechanisms were somewhat unnoticed and only partially documented. The double-free vulnerability raised interest for those who were affected and those controlling servers that use OpenSSH. …

Read More

Popular Tags