Unauthenticated attackers may use a significant security flaw in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software to execute remote code on vulnerable systems. Following a responsible disclosure on September 6, 2023, the bug, tracked as CVE-2023-42793, was fixed in TeamCity version 2023.05.4 with a CVSS score of 9.8.
In a study published this week, Sonar security researcher Stefan Schiller stated that “attackers could use this access to steal source code, service secrets, and private keys, take control over attached build agents, and poison build artifacts.” If the problem is successfully exploited, threat actors may be able to enter the build pipelines and insert arbitrary code, breaching system integrity and compromising the supply chain.