The vulnerabilities, identified as CVE-2024-27198 and CVE-2024-27199, that could be exploited to perform unauthorized administrative actions. CVE-2024-27198, with a CVSS score of 9.8, enables an authentication bypass that could allow attackers to perform admin actions, posing a critical threat. Meanwhile, CVE-2024-27199, scored at 7.3, involves a path traversal flaw that could enable attackers to perform limited admin actions. This means they could:
Two critical security vulnerabilities have been surfaced in TeamCity On-Premises CI/CD pipeline that could allow attackers to essentially hijack your TeamCity server without even needing a password.
The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” and all versions of TeamCity On-Premises are vulnerable. JetBrains’ TeamCity Cloud, you’re already protected.
The technical details of vulnerabilities are yet to be published, allowing teams to patch systems. However, in this case, Rapid7 who discovered the vulnerabilities)released full details. This gives attackers a blueprint for exploitation, so patching before that happens is vital.
Immediate action
- Option 1: Update Immediately The best defense is to upgrade to the latest secure TeamCity version, 2023.11.4. This covers the vulnerabilities and other recent security improvements.
- Option 2: Patch if You Can’t Update Yet If upgrading is difficult right now, JetBrains has released a special security patch plugin. Install it on your existing TeamCity (even older versions) to close the security holes. You’ll find download links and instructions in the original security bulletin.
If your TeamCity server can be reached from the internet, and you haven’t patched it yet, take it offline temporarily until you do! This is a serious threat.
