Blog Home
Contextual Analysis for Python, Java, and JavaScript with JFrog Frogbot

Contextual Analysis for Python, Java, and JavaScript Projects with JFrog Frogbot
September 08, 2023

When scanning packages, CVE (Common Vulnerabilities and Exposures) scanners can find thousands of vulnerabilities. This leaves developers with the painstaking task of sifting through long lists of vulnerabilities to identify the relevance of each, only to find that many vulnerabilities don’t affect their artifacts at all. Vulnerability Contextual Analysis uses the artifact context to eliminate …

Read More
Spring Security - CVE-2023-34034

Spring WebFlux – CVE-2023-34034 – Write-Up and Proof-of-Concept
August 08, 2023

包含Spring安全的新发布的版本a fix for a broken access control vulnerability – CVE-2023-34034 – which was given a critical NVD severity (CVSS 9.8) and a high severity by Spring’s maintainers. Given the severe potential impact of the vulnerability on Spring WebFlux applications (that use Spring Security for authentication and access control), its …

Read More
OpenSSH Pre-Auth Double Free CVE-2023-25136 Writeup and PoC

OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept
February 08, 2023

OpenSSH’s newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected, …

Read More
CVE-2021-38297 - Analysis of a Go Web Assembly vulnerability

CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability
August 30, 2022

The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the …

Read More
Fastjson RCE vulnerability response

CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability
June 14, 2022

A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson …

Read More
JNDI - Unauthenticated RCE in H2 Database Console

CVE-2022-21449 “Psychic Signatures”: Analyzing the New Java Crypto Vulnerability
April 21, 2022

A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or “Psychic Signatures”. This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15. This vulnerability allows an attacker to potentially intercept communication …

Read More

CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder
April 18, 2022

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in …

Read More
SpringShell

SpringShell (Spring4Shell) Zero-Day Vulnerability CVE-2022-22965 : All You Need To Know
March 31, 2022

On March 29th, the cyberkendra security blog posted a sensational post about a Log4Shell-equivalent remote code execution (RCE) zero-day vulnerability in Spring Framework, but without any solid details about the vulnerability itself. The security vulnerability was nicknamed “SpringShell” (or “Spring4Shell”) , due to its alleged significance likening the infamous “Log4Shell.” A day later, on March …

Read More
Apache RCE and DoS vulnerabilities 863x300

Diving into CVE-2022-23943 – a new Apache memory corruption vulnerability
March 17, 2022

A few days ago it was reported that the new Apache version 2.4.53 contains fixes for several bugs which exposed the users of the well known HTTP server to attacks: CVE-2022-22719 relates to a bug in the mod_lua modules which may lead to Denial of Service after reading from a random memory Area, CVE-2022-22720 exposes …

Read More

Popular Tags