JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately.
“Rapid7 originally identified and reported these vulnerabilities to us and has chosen to adhere strictly to its own vulnerability disclosure policy. This means that their team will publish full technical details of these vulnerabilities and their replication steps within 24 hours of this notice,” the company stated today.
This also means that proof-of-concept and full exploits are likely to surface and be leveraged quickly.
About the vulnerabilities (CVE-2024-27198, CVE-2024-27199)
TeamCity by JetBrains is a continuous integration and continuous delivery (CI/CD) server, vulnerabilities in which have lately been exploited by Russian and North Korean state-sponsored attackers.
CVE-2024-27198 and CVE-2024-27199 may allow attackers to bypass authentication by using an alternate path or channel (CWE-288) and to traverse the file system to access files/directories outside of the restricted directory (CWE-23).
“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company warns.
They affect all TeamCity On-Premises versions through 2023.11.3, and have been fixed in version version 2023.11.4.
“TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked,” the company reassured.
Update, patch, or take your server off the internet
Customers are advised to upgrade to the fixed version (either manually or by using the automatic update option within the solution) or to apply the security patch plugin – compatible with all TeamCity versions – if they can’t upgrade their servers to v2023.
“JetBrains’ policy typically involves withholding technical details of vulnerabilities for a longer period of time after a release to ensure thorough mitigation; however, this accelerated timeline necessitates an immediate server upgrade or patching to prevent exploitation,” the company added.
“If your server is publicly accessible over the internet, and you are unable to immediately perform one of the mitigation steps described below, we strongly recommend making your server inaccessible until mitigation actions have been completed.”