Rapid7 researchers disclosed two new critical security vulnerabilities, tracked as (CVSS score: 9.8) and (CVSS score:7.3), in JetBrains TeamCity On-Premises.
An attacker can exploit the vulnerabilities to take control of affected systems.
Below are the descriptions for these vulnerabilities:
“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.” reads the published by JetBrains.
The flaws impact all TeamCity On-Premises versions through 2023.11.3, it was addressed with the release of .
The company also released a security patch plugin for those customers who are unable to patch their systems.
The two flaws were discovered by Stephen Fewer, Principal Security Researcher at Rapid7, were disclosed following .
Rapid7 published a detailed analysis of the two flaws .
Describing the flaw CVE-2024-27198, the researchers pointed out that an unauthenticated attacker can use a specially crafted URL to bypass all authentication checks. A remote unauthenticated attacker can exploit this flaw to take complete control of a vulnerable TeamCity server.
Recently JetBrains addressed another critical vulnerability in TeamCity servers, tracked as CVE-2024-23917 (CVSS score: 9.8), that could be exploited by an unauthenticated attacker to gain administrative control of servers.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, JetBrains)