Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

26 Security Issues Patched in TeamCity

JetBrains patches 26 security issues in TeamCity and takes steps to avoid malicious exploitation of vulnerabilities.

TeamCity CVE-2024-27198 exploited

JetBrains has patched 26 security issues in its TeamCity build management and continuous integration server, and it has taken steps to reduce the risk of vulnerabilities being exploited in malicious attacks.

TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”.

The company did reveal, however, that TeamCity 2024.03 patches seven CVEs, including CVE-2024-31136, a high-severity flaw that can be exploited to bypass two-factor authentication by providing a specially crafted URL parameter.

The list of patched vulnerabilities also includes medium-severity issues, including an open redirect on the login page, the ability of authenticated users with non-admin privileges to register other users with self-registration disabled, and server administrators being able to remove arbitrary files from the server.

The remaining security holes that have been assigned CVE identifiers are three medium-severity cross-site scripting (XSS) bugs, which typically allow arbitrary code execution if the victim can be tricked into clicking on a specially crafted link.

JetBrains also announced the introduction of semi-automatic security updates with the release of TeamCity 2024.03. With this feature, critical security updates are automatically downloaded when they become available, but an administrator still needs to approve their installation. 

“This approach helps to keep your system fortified against emerging risks and to swiftly tackle major vulnerabilities,” the company told customers.

The semi-automatic updates and the company highlighting that it’s not disclosing any vulnerability details comes a few weeks after a botched disclosure that led to a critical flaw getting exploited in the wild shortly after it was patched.

Advertisement. Scroll to continue reading.

The incident involved CVE-2024-27198, a critical flaw that can be exploited by remote, unauthenticated attackers to take complete control of a TeamCity server.

Due to miscommunication between Rapid7, whose researchers discovered the security hole, and JetBrains, details of CVE-2024-27198 were made public a few hours after the vendor announced fixes. The first in-the-wild exploitation attempts were seen on the same day.

Rapid7 was concerned that JetBrains would attempt to silently patch the vulnerability and the vendor was concerned that the cybersecurity firm would disclose details too quickly. JetBrains informed customers about patches without telling Rapid7, which decided to immediately disclose details.

Hundreds of vulnerable TeamCity instances were apparently compromised, including as part of ransomware attacks.

Related: Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

Related: Recently Patched TeamCity Vulnerability Exploited to Hack Servers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.