JetBrains on Tuesday warned that a critical authentication bypass in the popular build management server TeamCity could be exploited remotely for arbitrary code execution.
Tracked as CVE-2024-23917 (CVSS score of 9.8), the flaw was discovered on January 19, 2024, and impacts all TeamCity On-Premises versions from 2017.1 through 2023.11.2.
“If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” JetBrains explains.
The issue was addressed with the release of TeamCity On-Premise version 2023.11.3. JetBrains has already patched TeamCity cloud servers and says that it has not observed in-the-wild exploitation of the bug.
“We strongly advise all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability,” the software development company notes.
JetBrains also released a security patch plugin for users who cannot update their servers, which can be installed on all affected TeamCity versions. The plugin, however, only addresses this vulnerability and does not include other security updates.
TeamCity servers that are publicly accessible but which cannot be updated or patched should be removed from the internet immediately and should remain so until mitigations have been applied, the software developer notes.
Given that the security plugin is compatible with TeamCity iterations starting with version 2017.1, JetBrains is not considering backporting the fix for now.
TeamCity is a general-purpose continuous integration and continuous delivery (CI/CD) platform for DevOps teams. TeamCity is the third most popular CI/CD solution today, with a market share of roughly 6%.