TeamCity hit by critical software supply chain bugs

JetBrains is advising immediate patching of two new vulnerabilities affecting its TeamCity software, a CI/CD pipeline tool that can allow attackers to gain unauthenticated administrative access.

Tracked under CVE-2024-27198 and CVE-2024-27199, the critical bugs have already been fixed within TeamCity cloud servers with an on-premises patch available with version 2023.11.4.

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” JetBrains said in a blog post on the issue. “The vulnerabilities affect all TeamCity On-Premises versions through 2023.11.3.”

TeamCity is a widely used tool for managing CI/CD pipelines, the continuous process of building, deploying, and testing software codes, adopted by a range of global brands including Tesla, McAfee, Samsung, Nvidia, HP, and Motorola.

Critical server jacking bugs

The bugs were first reported to JetBrains by Rapid7 as two new critical TeamCity on-premises flaws that could allow attackers to gain administrative control of the TeamCity server. They were subsequently assigned high CVSS base scores of 9.8/10 (CVE-2024-27198) and 7.5/10 (CVE-2024-27199).

While both JetBrains and Rapid7 have yet to disclose the technical details of how exactly the vulnerabilities can be exploited, a full disclosure is expected shortly.