Uriya Yavnieli
JFrog Security ResearcherUriya is a Security Researcher at JFrog’s vulnerability research team, where he specializes in low-level research and vulnerability discovery automations. Before joining Vdoo and JFrog, Uriya was a Security Researcher at Cyberbit, bringing experience from previous roles in R&D in the tech unit of the Israeli Defense Force.
The Latest From Uriya Yavnieli
-
From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms
| 26 min readNOTE: This research was recently presented at Black Hat USA 2024, under the title “From MLOps to MLOops - Exposing the Attack Surface of Machine Learning Platforms”. The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational…
Read More -
Arbitrary File Creation vulnerability in plexus-archiver – CVE-2023-37460
| 7 min readThe JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered a new security vulnerability in plexus-archiver, an archive creation and extraction package. plexus-archiver is used in…
Read More -
CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability
| 9 min readThe JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the…
Read More -
SATisfying our way into remote code execution in the OPC UA industrial stack
| 18 min readThe JFrog Security team recently competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. One of our research targets for the competition was the Unified Automation C++-based OPC UA Server SDK. Other than the vulnerabilities we disclosed as part of the pwn2own competition, we managed to find and…
Read More -
Crashing Industrial Control Systems at Pwn2Own Miami 2022
| 13 min readEarlier this year, the JFrog Security research team competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. We were proud to take part in this competition and join other researchers in the effort to make mission-critical industrial environments safe and secure. During the Pwn2Own Miami competition we competed…
Read More -
CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability
| 11 min readA few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson…
Read More -
7 RCE and DoS vulnerabilities Found in ClickHouse DBMS
| 10 min readThe JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered seven new security vulnerabilities in ClickHouse, a widely used open-source Database Management System (DBMS) dedicated to…
Read More -
JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library
| 6 min readUpdate 03/03/22 - Added clarification about vulnerable applications JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By…
Read More -
Revisiting Realtek – A New Set of Critical Wi-Fi Vulnerabilities Discovered by Automated Zero-Day Analysis
| 13 min readOn February 3rd 2021, we responsibly disclosed six critical issues in the Realtek RTL8195A Wi-Fi module, a popular Wi-Fi card found in numerous connected devices such as home and industrial appliances. Following that successful detection and disclosure, we expanded our analysis to additional modules. This new analysis resulted in two new critical vulnerabilities discovered by…
Read More -
Major Vulnerabilities Discovered and Patched in Realtek RTL8195A Wi-Fi Module
| 12 min readIn a recent supply chain security assessment, the JFrog security research team (formerly Vdoo) analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote…
Read More