UPDATE - Software development company JetBrains has released patches for two vulnerabilities in the on premises versions of TeamCity, its Continuous Integration and Deployment (CI/CD) server. As of Thursday, exploitation of the flaws has been observed.
If exploited, the two flaws (CVE-2024-27198 and CVE-2024-27199) could allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control of the TeamCity server.
The flaws, which exist in all TeamCity on-premises versions through 2023.11.3, have been fixed in version 2023.11.4. JetBrains is urging customers to update their TeamCity servers “immediately.”
“All versions of TeamCity On-Premises are affected by these vulnerabilities,” said Daniel Gallo, TeamCity Solutions Engineer with JetBrains in a Sunday post. “Customers of TeamCity Cloud have already had their servers patched, and we have verified that they weren’t attacked.”
Rapid7 Principal Security Researcher Stephen Fewer, who discovered the flaws, said they both stem from authentication bypass issues in the web component of TeamCity. The critical-severity CVE-2024-27198 (which has a CVSS score of 9.8) stems from an alternative path issue, while CVE-2024-27199 (with a CVSS score of 7.3) arises from a path traversal issue.
In an analysis of the flaws, Fewer said that CVE-2024-27199 enables a limited amount of information disclosure and system modification if exploited, while CVE-2024-27198 could allow a remote, unauthenticated attacker to completely compromise vulnerable TeamCity servers.
“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” said Fewer.
Researchers made initial contact with JetBrains regarding the flaw via email on Feb. 15, and JetBrains released a version of TeamCity on Monday that contained fixes.
TeamCity, a tool that helps automate the processes for building, testing and deploying software applications, is a “widely used” CI/CD server that is deployed by more than 30,000 customers globally (including on-premises and cloud-hosted servers).
JetrBrains last year disclosed a critical-severity authentication bypass flaw in certain instances of TeamCity CI/CD, which could allow unauthenticated attackers to perform remote code execution attacks and gain administrative control of the TeamCity server. The flaw was later exploited by Russian threat actors in order to escalate privileges, deploy malware and establish persistent access in compromised environments.
This article was updated on March 8 to reflect that the flaw is now being exploited in the wild.