Critical vulnerability in TeamCity servers exposes to administrative takeover

JetBrains, the developer of the build management server TeamCity, has urgently released patches to address critical authentication bypass vulnerabilities, posing a severe risk of full server compromise. The vulnerabilities tracked as CVE-2024-27198 and CVE-2024-27199, affect the web component of TeamCity and stem from an alternative path and a path traversal issue, respectively.

The more severe flaw, CVE-2024-27198, carries a CVSS score of 9.8 and enables remote, unauthenticated attackers to execute arbitrary code, ultimately gaining administrative control over the TeamCity server. If exploited, this vulnerability could lead to a complete compromise of all TeamCity projects, builds, agents, and artifacts, potentially facilitating supply chain attacks, as highlighted by Rapid7, the entity that identified the bugs.

The critical-severity issue is rooted in the web server of TeamCity, typically exposed over the HTTP port 8111, but configurable over HTTPS. Attackers can manipulate certain requests to evade authentication checks, allowing them to access authenticated endpoints directly and create new administrator accounts, thereby seizing full control of vulnerable TeamCity servers.

On the other hand, CVE-2024-27199, with a CVSS score of 7.3, allows unauthenticated attackers to modify specific server settings and access sensitive information, albeit not granting the same level of access as the critical vulnerability.

JetBrains promptly addressed these vulnerabilities with the release of TeamCity version 2023.11.4 and provided a security patch plugin for customers who are unable to upgrade immediately. All versions of TeamCity On-Premises are susceptible to these vulnerabilities, necessitating immediate patch application. While TeamCity Cloud servers have been patched and safeguarded, on-premises customers are strongly advised to apply the patches promptly, as no backports of the fix are currently available.