A critical security vulnerability has been identified in TeamCity On-Premises, with the tag CVE-2024-23917 and a CVSS score of 9.8. The flaw allows unauthenticated attackers with HTTP(S) access to a TeamCity server to bypass authentication procedures and seize administrative control. This poses a significant risk as it could potentially enable remote code execution (RCE) attacks without user input.
TeamCity, a building management and continuous integration server developed by JetBrains, can be installed on-premises or used as a cloud service. The vulnerability, identified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2. It is important to note that TeamCity Cloud servers have already been patched and verified to be secure.
Shadowserver has observed that 1052 vulnerable JetBrains TeamCity Instances were exposed to the Internet. The majority of the exposed instances are located in the US, with 332 instances, and Germany, with 120 instances. The issue has been addressed in version 2023.11.3, and JetBrains has already notified its customers.
In light of the security vulnerability, JetBrains strongly advises all TeamCity On-Premises users to update their servers to version 2023.11.3 in order to eliminate the exposure to the vulnerability. For those who are unable to update their servers immediately, JetBrains has released a security patch plugin that allows the environment to continue to be patched.
The security patch plugin can be found here:
– For TeamCity 2018.2+: https://gbhackers.com/1000-jetbrains-teamcity-instances/
– For TeamCity 2017.1, 2017.2, and 2018.1: https://gbhackers.com/1000-jetbrains-teamcity-instances/
If it is not possible to apply the mitigation steps immediately, JetBrains recommends temporarily making the server inaccessible over the internet until the necessary actions have been taken.
It is recommended to keep up-to-date on cybersecurity news and developments by following The Cybersecurity News on LinkedIn and Twitter for the latest updates.