March 5, 2024 at 08:19AM
Rapid7 accused JetBrains of silently patching two critical vulnerabilities in the TeamCity CI/CD server, despite Rapid7’s policy against such actions. JetBrains’ attempt to release patches before publicly disclosing was met with Rapid7’s refusal. JetBrains later released patches without informing researchers, leading to criticism from the infosec community.
From the meeting notes, it appears that there is a notable conflict between Rapid7 and JetBrains regarding the disclosure and handling of two vulnerabilities in the TeamCity CI/CD server. Rapid7 accuses JetBrains of silently patching the vulnerabilities, contrary to infosec community norms, leading to dissatisfaction and criticism from the security research community.
Rapid7 claims that it reported the vulnerabilities in mid-February, but JetBrains released patches without public disclosure and without informing the researchers. This has resulted in significant dissatisfaction within the infosec community, with Rapid7 threatening to disclose the vulnerabilities themselves if their policy against silently patching vulnerabilities is violated.
JetBrains’ actions have been perceived as a breach of coordinated vulnerability disclosure norms, and their response to inquiries from Rapid7 has also been lacking. Additionally, there are concerns about the severity of the vulnerabilities, with one allowing for unauthenticated remote code execution and the other creating the potential for man-in-the-middle attacks.
JetBrains has indicated that the vulnerabilities only affect the on-prem version of TeamCity, and they have provided recommendations for server admins to address the issues.
Overall, it is evident that there are significant disagreements and dissatisfaction between Rapid7 and JetBrains regarding the handling of the TeamCity vulnerabilities, and the actions of JetBrains have faced substantial criticism from the infosec community.