JetBrains on Monday released patches for two authentication bypass vulnerabilities in the build management server TeamCity, including a critical-severity flaw leading to full compromise.
Tracked as CVE-2024-27198 (CVSS score of 9.8) and CVE-2024-27199 (CVSS score of 7.3), the security defects impact the web component of TeamCity and exist because of an alternative path and a path traversal issue, respectively.
“If abused, the flaws may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control of the TeamCity server,” JetBrains notes in its advisory.
According to Rapid7, which identified the bugs, CVE-2024-27198 could allow a remote, unauthenticated attacker to execute arbitrary code and completely compromise the vulnerable server, taking over “all TeamCity projects, builds, agents and artifacts”.
By exploiting the critical-severity issue an attacker could position themselves “to perform a supply chain attack”, Rapid7 explains in a technical writeup.
The security hole is related to TeamCity’s web server, which is exposed over the HTTP port 8111 by default, and which can be configured over HTTPS as well. Due to the way certain requests are handled, an attacker could change a URL to call arbitrary endpoints and create a new administrator user.
“An attacker can craft a URL such that all authentication checks are avoided, allowing endpoints that are intended to be authenticated to be accessed directly by an unauthenticated attacker. A remote unauthenticated attacker can leverage this to take complete control of a vulnerable TeamCity server,” Rapid7 explains.
The high-severity flaw, CVE-2024-27199, does not provide the same level of access to authenticated endpoints but allows an unauthenticated attacker to modify certain settings on the server (such as uploading their own HTTPS certificate) and access sensitive information.
“An attacker could perform a denial of service against the TeamCity server by either changing the HTTPS port number to a value not expected by clients, or by uploading a certificate that will fail client-side validation. Alternatively, an attacker with a suitable position on the network may be able to perform either eavesdropping or a man-in-the-middle attack on client connections,” Rapid7 explains.
Both vulnerabilities were addressed with the release of TeamCity version 2023.11.4. JetBrains also released a security patch plugin for customers who cannot upgrade to the latest version.
“All versions of TeamCity On-Premises are affected by these vulnerabilities. Customers of TeamCity Cloud have already had their servers patched, and we have verified that they weren’t attacked,” JetBrains notes.
Given that no backports of the fix are considered at this time, TeamCity On-Premises customers are advised to apply the available patches as soon as possible.
Related: JetBrains Patches Critical Authentication Bypass in TeamCity
Related: Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies
Related: North Korean Hackers Exploiting Recent TeamCity Vulnerability
