Researchers have identified a critical security issue was in TeamCity On-Premises. The flaw will enable an unauthenticated attacker with access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server.
All versions of TeamCity On-Premises are affected by this critical security vulnerability. It has been assigned the CVE identifier CVE-2023-42793 and presents the weakness CWE-288. This issue does not impact TeamCity Cloud which was recently upgraded.
Teamcity has fixed this vulnerability in version 2023.05.4, and have already notified our customers and they have updated our releasing additional technical details of the vulnerability soon. The OEM strongly advise all users of TeamCity On-Premises to update their servers to 2023.05.4 to mitigate the issue.
To update your server, download the latest version (2023.05.4) or use the automatic update option within TeamCity.
If unable to update to version 2023.05.4, a security patch plugin also released so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on TeamCity 8.0+. It will patch the specific RCE vulnerability described above. For TeamCity 2019.2 and later, the plugin can be enabled without restarting the TeamCity server. For versions older than 2019.2, a server restart is required after the plugin has been installed.
The security patch plugin will only address the RCE vulnerability described above. Users are recommended to upgrade their servers to the latest version to benefit from many other security updates.
If your server is publicly accessible over the internet and you are unable to perform one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed.