Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2022-44623: CWE-538 File and Directory Information Exposure in JetBrains TeamCity

0
Medium
VulnerabilityCVE-2022-44623cvecve-2022-44623cwe-538
Published: Thu Nov 03 2022 (11/03/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: JetBrains
Product: TeamCity

Description

In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings

AI-Powered Analysis

AILast updated: 06/25/2025, 11:46:12 UTC

Technical Analysis

CVE-2022-44623 is a medium-severity vulnerability affecting JetBrains TeamCity versions prior to 2022.10. The issue is classified under CWE-538, which pertains to file and directory information exposure. Specifically, the vulnerability allows users with the Project Viewer role to access scrambled secure values within the MetaRunner settings. MetaRunners in TeamCity are reusable build steps or scripts that can contain sensitive configuration data, including secure parameters intended to be protected. Although the values are scrambled (obfuscated), the exposure of these secure values to a lower-privileged role represents a confidentiality breach. The vulnerability does not affect integrity or availability, as it does not allow modification or disruption of services. The CVSS 3.1 base score is 6.5, reflecting a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with high confidentiality impact (C:H), and no impact on integrity (I:N) or availability (A:N). No known exploits are reported in the wild, and no patches were linked in the provided data, though the issue is addressed in version 2022.10 and later. The vulnerability arises from insufficient access control and improper handling of secure data visibility within the TeamCity UI, allowing users with read-only project access to view sensitive configuration details that should be concealed. This could potentially aid attackers or malicious insiders in gathering information to facilitate further attacks or unauthorized access.

Potential Impact

For European organizations using JetBrains TeamCity, especially those relying on MetaRunner configurations for CI/CD pipelines, this vulnerability poses a risk of confidential information leakage. Exposure of scrambled secure values, while not directly revealing plaintext secrets, may allow attackers or unauthorized users with Project Viewer privileges to attempt de-obfuscation or use the information to escalate privileges or compromise build environments. This could lead to unauthorized access to internal systems, leakage of credentials or tokens, and compromise of software supply chains. Organizations in sectors with strict data protection regulations (e.g., finance, healthcare, critical infrastructure) may face compliance risks if sensitive build or deployment secrets are exposed. The impact is heightened in environments where Project Viewer roles are widely assigned or where insider threats are a concern. However, since the vulnerability does not allow modification or disruption of services, the immediate operational impact is limited to confidentiality breaches rather than service outages or data integrity issues.

Mitigation Recommendations

1. Upgrade JetBrains TeamCity to version 2022.10 or later, where this vulnerability is addressed. 2. Review and restrict Project Viewer role assignments to only trusted users, minimizing exposure of sensitive build configurations. 3. Audit MetaRunner configurations to ensure that secure parameters are not unnecessarily exposed or used in ways that could be inferred. 4. Implement additional access controls or segmentation within TeamCity projects to limit visibility of sensitive settings. 5. Monitor TeamCity logs and access patterns for unusual activity by Project Viewer users that could indicate attempts to exploit this vulnerability. 6. Consider encrypting sensitive parameters outside of TeamCity or using external secret management solutions integrated with TeamCity to reduce reliance on internal secure value storage. 7. Educate development and DevOps teams about the risks of over-permissioning and the importance of least privilege principles in CI/CD environments.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
JetBrains
Date Reserved
2022-11-02T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983ac4522896dcbed8f3

Added to database: 5/21/2025, 9:09:14 AM

Last enriched: 6/25/2025, 11:46:12 AM

Last updated: 10/16/2025, 12:51:23 PM

Views: 23

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats