March 5, 2024 at 07:06AM
JetBrains has released patches for critical authentication bypass vulnerabilities in its TeamCity build management server. Tracked as CVE-2024-27198 and CVE-2024-27199, these flaws allow unauthenticated attackers to gain full control of the server, execute arbitrary code, and access sensitive information. A security fix is available in TeamCity version 2023.11.4. Customers are advised to apply the patches promptly.
Key takeaways from the meeting notes are as follows:
1. JetBrains released patches for two critical authentication bypass vulnerabilities in the build management server TeamCity – tracked as CVE-2024-27198 and CVE-2024-27199.
2. These vulnerabilities could allow an unauthenticated attacker to gain administrative control of the TeamCity server, execute arbitrary code, compromise the server, and even perform a supply chain attack.
3. The security flaws impact the web component of TeamCity and exist due to an alternative path and a path traversal issue.
4. The vulnerabilities were addressed with the release of TeamCity version 2023.11.4, and a security patch plugin was also made available for customers who cannot immediately upgrade.
5. TeamCity On-Premises customers are advised to apply the available patches as soon as possible, as no backports of the fix are considered at this time.
6. Customers of TeamCity Cloud have already had their servers patched, and no attacks have been verified.