Article Details
Scrape Timestamp (UTC): 2023-09-26 05:05:03.719
Source: https://thehackernews.com/2023/09/critical-jetbrains-teamcity-flaw-could.html
Original Article Text
Click to Toggle View
Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers. A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6, 2023. "Attackers could leverage this access to steal source code, service secrets, and private keys, take control over attached build agents, and poison build artifacts," Sonar security researcher Stefan Schiller said in a report last week. Successful exploitation of the bug could also permit threat actors to access the build pipelines and inject arbitrary code, leading to an integrity breach and supply chain compromises. Additional details of the bug have been withheld due to the fact that it's trivial to exploit, with Sonar noting that it's likely to be exploited in the wild by threat actors. JetBrains, in an independent advisory, has recommended users to upgrade as soon as possible. It has also released a security patch plugin for TeamCity versions 8.0 and above to specifically address the flaw. The disclosure comes as two high-severity flaws have been disclosed in the Atos Unify OpenScape products that allow a low-privileged attacker to execute arbitrary operating systems commands as root user (CVE-2023-36618) as well as an unauthenticated attacker to access and execute various configuration scripts (CVE-2023-36619). Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity. The flaws were patched by Atos in July 2023. Over the past few weeks, Sonar has also published details about critical cross-site scripting (XSS) vulnerabilities affecting encrypted email solutions, including Proton Mail, Skiff, and Tutanota, that could have been weaponized to steal emails and impersonate victims.
Daily Brief Summary
A critical security flaw found in JetBrains TeamCity (CI/CD) software puts affected systems at risk of a remote code execution by unauthorized attackers. The vulnerability, tracked as CVE-2023-42793, carriers a high severity rating of 9.8.
The flaw was responsibly disclosed on September 6, 2023, and has been addressed in TeamCity version 2023.05.4.
The possible effects of exploiting this vulnerability include stealing source code, service secrets and private keys, controlling attached build agents and polluting build artifacts. There is potential for threat actors to gain access to the build pipelines and insert arbitrary code leading to an integrity breach and supply chain compromises.
JetBrains recommends users perform a prompt upgrade. The software company has also released a security patch plugin for TeamCity versions 8.0 and above as a specific solution for the flaw.
Other high-severity flaws have been disclosed in Atos Unify OpenScape products, allowing low-privileged attackers to execute arbitrary operating system commands as root users, and unverified attackers to access and execute various configuration scripts.
Cybersecurity firm Sonar has also disclosed critical cross-site scripting (XSS) vulnerabilities potentially impacting encrypted email solutions, including ProtonMail, Skiff and Tutanota.