CVE-2022-44623 - How Project Viewer Could Peek at Scrambled Secure Values in JetBrains TeamCity MetaRunner Settings

JetBrains TeamCity is a popular continuous integration and deployment (CI/CD) server used by thousands of organizations. When security vulnerabilities arise in TeamCity, the risk can be significant, especially since it manages sensitive credentials and automation secrets. CVE-2022-44623 is a real-world example: In versions before 2022.10, a Project Viewer user could see obfuscated “secure values” in MetaRunner settings—information that was never meant to be exposed in the interface at all.

This post will explain what happened, demonstrate the issue with sample code, and offer some context, with links to official reports and remediation steps. If you’re running an old TeamCity version or responsible for pipeline secrets, you’ll want to read on.

What is CVE-2022-44623?

CVE-2022-44623 refers to a vulnerability in TeamCity before version 2022.10. The underlying problem? *Project Viewer* roles could access scrambled (but still exposed) secure values inside MetaRunner configuration settings.

- Scrambled values: TeamCity stores secrets (like passwords, tokens, and API keys) obfuscated or hashed—so they aren’t readable at a glance. But sometimes, even this “scrambled” data can be misused (e.g., transferred, decoded, or brute-forced offline).
- MetaRunner settings: MetaRunners are custom build steps scripted in XML, with settings that may use secrets for things like deployment, code signing, etc.

Summary: Anyone with Project Viewer rights could see these scrambled secrets, even though only privileged users should manage or view secure data.

Official Reference

- JetBrains TeamCity Security Advisory
- NVD CVE-2022-44623 Detail

How Did It Work? (With Sample Snippet)

Here is a simplified version of what went wrong—shown from the perspective of an attacker with *Project Viewer* permissions.

Suppose your TeamCity has a MetaRunner that defines a secure parameter called my.secret.key. In the XML, this would look like:

<meta-runner>
  <parameters>
    <param name="my.secret.key" type="password" value="scrambled:AxB12CdE34FGhijK" />
  </parameters>
</meta-runner>

Under normal circumstances, users with *Viewer* permissions should never see the value of secure parameters. Instead, they should see something like <b></b><b></b>** or nothing at all. Due to the bug, the UI/API returned:

You could also fetch the settings directly, like so

curl -u viewer:password "https://your.teamcity.server/app/rest/buildTypes/id:Your_Build_Config_Id/metaRunners";

That response would contain lines like

<param name="awsSecretAccessKey" type="password" value="scrambled:XyZ987654321" />

If these “scrambled” values can be reverse-engineered or reused, attackers might be able to impersonate or access protected systems.

Not all “scrambled” secrets are well-protected.

- Some scrambling methods are reversible or can be brute-forced offline, especially if the “obfuscation” is just encoding rather than true encryption.

Role Abuse: Even users who should only “look” can now see information they shouldn't.

- Supply Chain Threat: Stolen secrets could be used to inject code in builds, exfiltrate data, or gain persistent access.

Fixing CVE-2022-44623

JetBrains fixed the issue in version 2022.10. After the patch:

- Project Viewer users no longer see *any value*, scrambled or otherwise, for secure MetaRunner parameters.

Audit Your Users: Restrict “Viewer” and “MetaRunner” access only to those who need it.

3. Rotate Secrets: If you suspect project viewers might have accessed these settings, change/rotate secrets.
4. Monitor: Check logs for unusual viewer activity, and surveil build pipeline secrets for suspicious usage.

More About MetaRunners & Secure Parameters

MetaRunners are a powerful way to share build steps, but they come with security responsibility. Always:

- Use secure parameters for passwords/tokens.

References

- JetBrains Security Blog
- NIST NVD CVE-2022-44623
- Understanding TeamCity Roles
- TeamCity MetaRunner Documentation

TL;DR

CVE-2022-44623 exposed scrambled secure values in MetaRunner configs to Project Viewers in JetBrains TeamCity before 2022.10. Anyone with view access could harvest confidential (albeit obfuscated) secrets. Patch immediately, rotate secrets if exposed, and audit who can see your CI/CD configurations.

Stay safe and keep your pipelines locked down! 🚦

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 19:50:00 UTC