Experts disclosed two severe flaws in JetBrains TeamCity On-Premises software

Pierluigi Paganini March 05, 2024

Two new security flaws in JetBrains TeamCity On-Premises software can allow attackers to take over affected systems.

Rapid7 researchers disclosed two new critical security vulnerabilities, tracked as  (CVSS score: 9.8) and  (CVSS score:7.3), in JetBrains TeamCity On-Premises.

An attacker can exploit the vulnerabilities to take control of affected systems.

Below are the descriptions for these vulnerabilities:

  • CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue () and has a CVSS base score of 9.8 (Critical).
  • CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue () and has a CVSS base score of 7.3 (High).

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.” reads the published by JetBrains.

The flaws impact all TeamCity On-Premises versions through 2023.11.3, it was addressed with the release of .

The company also released a security patch plugin for those customers who are unable to patch their systems.

The two flaws were discovered by Stephen Fewer, Principal Security Researcher at Rapid7, were disclosed following .

Rapid7 published a detailed analysis of the two flaws .

Describing the flaw CVE-2024-27198, the researchers pointed out that an unauthenticated attacker can use a specially crafted URL to bypass all authentication checks. A remote unauthenticated attacker can exploit this flaw to take complete control of a vulnerable TeamCity server.

Recently JetBrains addressed another critical vulnerability in TeamCity servers, tracked as CVE-2024-23917 (CVSS score: 9.8), that could be exploited by an unauthenticated attacker to gain administrative control of servers.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, JetBrains)



you might also like

leave a comment