HomeVulnerabilityEssential JetBrains TeamCity Flaw Might Expose Supply Code and Construct Pipelines to...

Essential JetBrains TeamCity Flaw Might Expose Supply Code and Construct Pipelines to Attackers

A crucial security vulnerability within the JetBrains TeamCity steady integration and steady deployment (CI/CD) software program might be exploited by unauthenticated attackers to realize distant code execution on affected techniques.

The flaw, tracked as CVE-2023-42793, carries a CVSS rating of 9.8 and has been addressed in TeamCity model 2023.05.4 following accountable disclosure on September 6, 2023.

“Attackers may leverage this entry to steal supply code, service secrets and techniques, and personal keys, take management over hooked up construct brokers, and poison construct artifacts,” Sonar security researcher Stefan Schiller stated in a report final week.

Profitable exploitation of the bug may additionally allow risk actors to entry the construct pipelines and inject arbitrary code, resulting in an integrity breach and provide chain compromise.

Extra particulars of the bug have been withheld as a consequence of the truth that it is trivial to use, with Sonar noting that it is more likely to be weaponized within the wild by risk actors.

See also  7 open supply security instruments too good to disregard

JetBrains, in an unbiased advisory, has really useful customers to improve as quickly as attainable. It has additionally launched a security patch plugin for TeamCity variations 8.0 and above to particularly handle the flaw.

The disclosure comes as two high-severity flaws have been disclosed within the Atos Unify OpenScape merchandise that enable a low-privileged attacker to execute arbitrary working techniques instructions as root consumer (CVE-2023-36618) in addition to an unauthenticated attacker to entry and execute varied configuration scripts (CVE-2023-36619).

The issues had been patched by Atos in July 2023.

Over the previous few weeks, Sonar has additionally revealed particulars about crucial cross-site scripting (XSS) vulnerabilities affecting encrypted electronic mail options, together with Proton Mail, Skiff, and Tutanota, that might have been weaponized to steal emails and impersonate victims.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular