Disclosure drama

JetBrains, the company behind the TeamCity CI/CD web application, recently released a patch for the product, addressing no less than 26 vulnerabilities. The release notes, published on March 27, simply stated that “26 security problems have been fixed.” This lack of specific details surrounding the patched vulnerabilities has left the cybersecurity community curious and somewhat concerned.

Typically, companies share CVE tracking numbers for vulnerabilities when addressing security issues. These numbers provide a brief description of the problem and assess its severity, aiding IT teams in deciding the urgency of implementing patches. Surprisingly, JetBrains did not list any CVEs this time, a departure from standard practice that has prompted speculation in the cybersecurity community.

One possible reason for JetBrains’ vague approach could be linked to recent incidents involving Rapid7, where a similar lack of transparency led to exploitation of vulnerabilities shortly after patches were released. Additionally, the patch may be connected to earlier high-severity flaws identified in TeamCity, possibly explaining the company’s discretion to ensure customers had sufficient time to update their systems.

A user named “Not Simon” highlighted on Infosec Exchange that the JetBrains Security Bulletin only reveals 7 out of the 26 addressed vulnerabilities. The complete list can be accessed here.