A critical vulnerability in the TeamCity CI/CD server could be exploited remotely, without authentication, to execute arbitrary code and gain administrative control over a vulnerable server.
Developed by JetBrains, TeamCity is a general-purpose build management and continuous integration platform available both for on-premises installation and as a cloud service.
The recently identified critical flaw, tracked as CVE-2023-42793 (CVSS score of 9.8), is described as an authentication bypass impacting the on-premises version of TeamCity.
The issue can be exploited by attackers over an HTTP(S) connection and does not require user interaction for successful exploitation, code security firm Sonar Source, which identified the bug, explains.
“This enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users,” Sonar notes.
This, Sonar says, is possible because CI/CD servers such as TeamCity automate the software development process, meaning that they have access to an organization’s source code and other sensitive information associated with the building, testing, and deployment processes.
According to JetBrains, all TeamCity on-premises instances up to and including version 2023.05.3 are impacted by this vulnerability. TeamCity cloud is not affected by the vulnerability.
The bug was addressed in TeamCity version 2023.05.4. JetBrains also released a security patch plugin for TeamCity versions 8.0 and above, but says it is not considering to backport the fix.
“The security patch plugin will only address the RCE vulnerability described above. We always recommend users upgrade their servers to the latest version to benefit from many other security updates,” JetBrains explains.
TeamCity servers that are accessible from the internet should be patched immediately or made inaccessible until the patch is installed.
Both JetBrains and Sonar say that technical details on the vulnerability are not being published for now. According to Sonar, the bug is trivial to exploit and it is likely that in-the-wild exploitation will be observed.