A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems.
The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6, 2023.
“Attackers could leverage this access to steal source code, service secrets, and private keys, take control over attached build agents, and poison build artifacts,” Sonar security researcher Stefan Schiller said in a report last week.
Successful exploitation of the bug could also permit threat actors to access the build pipelines and inject arbitrary code, leading to an integrity breach and supply chain compromises.
Additional details of the bug have been withheld due to the fact that it’s trivial to exploit, with Sonar noting that it’s likely to be exploited in the wild by threat actors.
JetBrains, in an independent advisory, has recommended users to upgrade as soon as possible. It has also released a security patch plugin for TeamCity versions 8.0 and above to specifically address the flaw.
The disclosure comes as two high-severity flaws have been disclosed in the Atos Unify OpenScape products that allow a low-privileged attacker to execute arbitrary operating systems commands as root user (CVE-2023-36618) as well as an unauthenticated attacker to access and execute various configuration scripts (CVE-2023-36619).
The flaws were patched by Atos in July 2023.
Over the past few weeks, Sonar has also published details about critical cross-site scripting (XSS) vulnerabilities affecting encrypted email solutions, including Proton Mail, Skiff, and Tutanota, that could have been weaponized to steal emails and impersonate victims.
Found this article interesting? Follow us on Twitter
to read more exclusive content we post.