The U.S. CISA added the JetBrains TeamCity flaw CVE-2023-42793 and Windows bug CVE-2023-28229 to its Known Exploited Vulnerabilities Catalog.
Below are the descriptions of the two vulnerabilities:
CVE-2023-42793 JetBrains TeamCity Authentication Bypass Vulnerability. The vulnerability is an authentication bypass issue affecting the on-premises version of TeamCity. An attacker can exploit the flaw to steal source code and stored service secrets and private keys of the target organization. By injecting malicious code, an attacker can also compromise the integrity of software releases and impact all downstream users.
CVE-2023-28229 Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability. At the end of August, a cybersecurity researcher released the details and a proof-of-concept (PoC) exploit for this vulnerability. The vulnerability, which has a CVSS score of 7.0, could allow an attacker to gain specific limited SYSTEM privileges.
CISA orders federal agencies to fix this flaw by October 25, 2023.
This week the US CISA also added a Use-After-Free Vulnerability, tracked as CVE-2023-4211, in Arm Mali GPU Kernel Driver to the Catalog. CISA orders federal agencies