Published On: Mar 07, 2024 03:06
Advisory No: TZCERT/SA/2024/03/06
Source: JetBrains
Software Affected: TeamCity On-Premises
Vulnerabilities exist in JetBrains TeamCity On-Premises software which allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
CVE-2024-27198 (CVSS base score of 9.8 - Critical): is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288). CVE-2024-27199 (CVSS base score of 7.3 - High): is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22).
Successful exploitation of these vulnerabilities may allow an unauthenticated attacker to bypass the authentication checks and gain administrative control of the TeamCity server.
A workaround for these vulnerabilities has been released. Users and administrators are encouraged to Apply released updates on their servers to version 2023.11.4. Apply Security Plugin patch released if you are unable to update your server. Security patches can be downloaded through TeamCity 2018.2 and newer and TeamCity 2018.1 and older
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.