Devops Resources Home
Terrapin Attack

SSH protocol flaw โ€“ Terrapin Attack CVE-2023-48795: All you need to know
December 25, 2023

The SSH Terrapin attack (CVE-2023-48795) has recently caught attention, targeting the SSH protocol security by truncating cryptographic information. The inherent flaw in the SSH protocol itself affects a wide range of SSH client and server implementations. Following our initial research communication, this post will detail its fundamentals and impact. Affected Implementations Terrapin Attack Exploitation Impacts โ€ฆ

Read More
JFrog Access and AWS AssumeRoll enhance Kuernetes security.

Empowering Kubernetes Security: JFrogโ€™s Seamless Integration with AWS AssumeRole
December 15, 2023

Security Use Cases for AWS AssumeRole In the fast-paced environment of cloud-native apps, security and seamless connections are a priority. Many DevOps and SecOps professionals use Kubernetes native features to handle their container security, keeping a tight grip on access and secrets to improve security posture. The integration between AWS AssumeRole and JFrog Access in โ€ฆ

Read More
dome over boxes to show security over software packages

N-Day Hijack: Analyzing the lifespan of package hijacking attacks
December 14, 2023

Software package hijacking has become a prominent concern for individuals, businesses, and the cybersecurity community at large. Weโ€™ve seen this new threat trend rise over the past couple of years, with the potential to severely impact the software supply chain by attackers exploiting software packages to execute malicious code. This blog post details a case โ€ฆ

Read More
CVE-2021-44521 - Exploiting Apache Cassandra User-Defined Functions

CVE-2021-44521: Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution
February 15, 2022

JFrogโ€™s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4). This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra. Cassandra is a highly scalable, distributed โ€ฆ

Read More
Log4j Log4shell vulnerability Questions and Answers

Log4j Log4Shell Vulnerability Q&A
December 21, 2021

In our recent webinar, Log4j Log4Shell Vulnerability Explained: All You Need To Know, our  Senior Director Security Research expert Shachar Menashe shared information on the security issue and how to detect and remediate it. We are happy to share additional information in the following Q&A, based on the questions raised during the webinar. The Log4j โ€ฆ

Read More
Leveraging Typosquatting for Crypto Mining

Developers Under Attack โ€“ Leveraging Typosquatting for Crypto Mining
June 24, 2021

Reviewers: Shachar Menashe, Sr. Director Security Research Itay Vaknin, Threat Intelligence Researcher The complexity of the modern software development process and its reliance on large community-maintained codebases introduces a risk for developers to inadvertently include malicious code into the project. The implications can be severe: in many cases, it can mean a complete takeover of โ€ฆ

Read More
HAProxy Vulnerability

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling
September 07, 2021

JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability in HAProxy, a widely used open-source load balancer proxy server that is particularly suited for very high traffic web sites โ€ฆ

Read More
TensorFlow Python code injection 203x148

TensorFlow Python Code Injection: More eval() Woes
November 16, 2021

Background JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in one of the utilities shipped with TensorFlow, a popular Machine Learning platform thatโ€™s widely used in the industry. The issue has been assigned to CVE-2021-41228. Read more about our previous, similar disclosure in Yamale in our previous blog post. The โ€ฆ

Read More
5 Memory Corruption Vulnerabilities in PJSIP

JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP โ€“ A Popular Multimedia Library
March 01, 2022

Update 03/03/22 โ€“ Added clarification about vulnerable applications JFrogโ€™s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By โ€ฆ

Read More
JFrog Advanced Security - 1 Secrets Detection - The full report

JFrogโ€™s security scanners discovered thousands of publicly exposed API tokens โ€“ and theyโ€™re active! The Full Report
November 08, 2022

Note: This report was previously published in InfoWorld When developing the recently announced JFrog Advanced Security, our Research team decided to try out its new โ€œSecrets Detectionโ€ feature. Our goal was to test our vulnerability detection on as much real world data as possible, to make sure we eliminate false positives and catch any bugs โ€ฆ

Read More

Popular Tags