TeamCity Users Urged to Patch Critical Vulnerabilities
Software developer JetBrains has warned users of its popular TeamCity CI/CD tool that they should prioritize patching of two new vulnerabilities or risk compromise.
Discovered by Rapid7 last month, the bugs are listed as CVE-2024-27198 and CVE-2024-27199. The security vendor has now released exploit details, which makes patching more urgent.
The former is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8. The latter is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3.
“Both vulnerabilities are authentication bypass vulnerabilities, the most severe of which, CVE-2024-27198, allows for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated remote code execution (RCE),” said Rapid7 in a blog post.
“The second vulnerability, CVE-2024-27199, allows for a limited amount of information disclosure and a limited amount of system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing.”
Read more on TeamCity vulnerabilities: Patched Critical Flaw Exposed JetBrains TeamCity Servers
Rapid7 warned that compromising TeamCity servers would enable a threat actor to gain full remote control of projects, builds, agents and artifacts, putting them in a strong position to launch dangerous supply chain attacks.
JetBrains yesterday released a new version of the software, 2023.11.4, to fix the two vulnerabilities. It also published a security patch plugin so that customers who are unable to upgrade can still patch their environment.
“All versions of TeamCity On-Premises are affected by these vulnerabilities. Customers of TeamCity Cloud have already had their servers patched, and we have verified that they weren’t attacked,” the vendor said.