JetBrains fixes two critical issues in TeamCity, patch ASAP

JetBrains has remedied two critical vulnerabilities in TeamCity On-Premises, and is recommending that customers urgently implement patches. TeamCity is a Continuous Integration and Continuous Delivery (CI/CD) server developed by JetBrains.

The vulnerabilities are tracked as:

• CVE-2024-27198 (CVSS score 9.8), an authentication bypass vulnerability in the web component of TeamCity generated by an alternative path issue,
• CVE-2024-27199 (CVSS score 7.3), a path traversal vulnerability in the web component of TeamCity that allows bypassing authentication.

The vulnerabilities could allow unauthorized attackers with HTTP(S) access to bypass authentication mechanisms and traverse the file system to access files or directories outside of restricted areas. Exploiting could enable attackers to gain administrative control over a TeamCity server.

These vulnerabilities impact all versions of TeamCity On-Premises up to and including 2023.11.3.

JetBrains has addressed these issues in the latest version, 2023.11.4. TeamCity Cloud servers have already been secured against these vulnerabilities, with JetBrains confirming that no attacks have been detected on these servers.

Full technical descriptions and steps to reproduce are expected to be published within 24 hours have already been published. This means that proof-of-concept exploits could quickly become available for malicious use.

Users are advised to upgrade their TeamCity servers to the patched version (2023.11.4) as soon as possible, either manually or through the automatic update feature within TeamCity. For those unable to upgrade immediately, JetBrains recommends applying a security patch plugin compatible with all versions of TeamCity or, as a last resort, removing the server from internet access until the necessary updates can be applied.