CVE-2022-44623 is a medium-severity vulnerability affecting JetBrains TeamCity versions prior to 2022.10. The issue is classified under CWE-538, which pertains to file and directory information exposure. Specifically, the vulnerability allows users with the Project Viewer role to access scrambled secure values within the MetaRunner settings. MetaRunners in TeamCity are reusable build steps or scripts that can contain sensitive configuration data, including secure parameters intended to be protected. Although the values are scrambled (obfuscated), the exposure of these secure values to a lower-privileged role represents a confidentiality breach. The vulnerability does not affect integrity or availability, as it does not allow modification or disruption of services. The CVSS 3.1 base score is 6.5, reflecting a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with high confidentiality impact (C:H), and no impact on integrity (I:N) or availability (A:N). No known exploits are reported in the wild, and no patches were linked in the provided data, though the issue is addressed in version 2022.10 and later. The vulnerability arises from insufficient access control and improper handling of secure data visibility within the TeamCity UI, allowing users with read-only project access to view sensitive configuration details that should be concealed. This could potentially aid attackers or malicious insiders in gathering information to facilitate further attacks or unauthorized access.

For European organizations using JetBrains TeamCity, especially those relying on MetaRunner configurations for CI/CD pipelines, this vulnerability poses a risk of confidential information leakage. Exposure of scrambled secure values, while not directly revealing plaintext secrets, may allow attackers or unauthorized users with Project Viewer privileges to attempt de-obfuscation or use the information to escalate privileges or compromise build environments. This could lead to unauthorized access to internal systems, leakage of credentials or tokens, and compromise of software supply chains. Organizations in sectors with strict data protection regulations (e.g., finance, healthcare, critical infrastructure) may face compliance risks if sensitive build or deployment secrets are exposed. The impact is heightened in environments where Project Viewer roles are widely assigned or where insider threats are a concern. However, since the vulnerability does not allow modification or disruption of services, the immediate operational impact is limited to confidentiality breaches rather than service outages or data integrity issues.

1. Upgrade JetBrains TeamCity to version 2022.10 or later, where this vulnerability is addressed. 2. Review and restrict Project Viewer role assignments to only trusted users, minimizing exposure of sensitive build configurations. 3. Audit MetaRunner configurations to ensure that secure parameters are not unnecessarily exposed or used in ways that could be inferred. 4. Implement additional access controls or segmentation within TeamCity projects to limit visibility of sensitive settings. 5. Monitor TeamCity logs and access patterns for unusual activity by Project Viewer users that could indicate attempts to exploit this vulnerability. 6. Consider encrypting sensitive parameters outside of TeamCity or using external secret management solutions integrated with TeamCity to reduce reliance on internal secure value storage. 7. Educate development and DevOps teams about the risks of over-permissioning and the importance of least privilege principles in CI/CD environments.