JetBrains refuses to reveal details of patched security issues

JetBrains refuses to reveal details of patched security issues

JetBrains, the company behind the TeamCity CI/CD web application, recently released a patch for the product, addressing no less than 26 vulnerabilities. 

However, the company was apparently reluctant to reveal any specific details about the JetBrains flaws, raising eyebrows among the cybersecurity community.

In the release notes, published on March 27, the only thing the team said was “26 security problems have been fixed.”

Disclosure drama

Usually, when a company addresses security issues, they share CVE tracking numbers for the vulnerabilities. These numbers describe the problem in a few short sentences, and tell the IT teams how severe the issue is. That helps them decide if they should rush with the implementation of the patch and whether or not their premises are in imminent danger.

This time around, not even CVEs had been listed, which surprised the wider cybersecurity community. In its writeup, The Register speculates that this was JetBrains’ response to the recent “disclosure drama involving Rapid7”.

For those unfamiliar with the “disclosure drama”, JetBrains recently patched a pair of flaws in complete silence, later saying that it was giving admins a head start against hackers looking to exploit the vulnerabilities. Rapid7, on the other hand, didn’t believe the company, and published a how-to guide on exploiting the flaws, mere hours after the patch was pushed. Consequently, some systems were breached.

Other researchers believe this could have something to do with the recent security incidents at TeamCity. In early March 2024, the company released a patch for two high-severity flaws plaguing its product. Soon after, CISA added it to its KEV list, signaling in-the-wild abuse. There is a slight chance that this patch, at least partially, addresses the aftermath of the two high-severity vulnerabilities, forcing the team to remain tight-lipped until the majority of customers patched up.

Posting a thread on Infosec Exchange, a user named “Not Simon” found that the JetBrains Security Bulletin only shows 7 vulnerabilities out of the 26. The list can be found here

More from TechRadar Pro

https://www.techradar.com/rss

Sead Fadilpašić

Leave a Reply