A severe security flaw has been identified in the TeamCity CI/CD server, a build management and continuous integration platform developed by JetBrains. The vulnerability, identified as CVE-2023-42793, could allow unauthenticated attackers to remotely execute code and take control of vulnerable servers. The flaw is particularly severe as it impacts the on-premises version of TeamCity and can be exploited over an HTTP(S) connection without requiring user interaction. The bug was discovered by code security firm Sonar Source.
The company explained, “This enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users.” CI/CD servers like TeamCity automate the software development process, meaning they have access to an organization’s source code and other sensitive information associated with the building, testing, and deployment processes.
According to JetBrains, all on-premises instances of TeamCity up to and including version 2023.05.3 are affected by this vulnerability. However, the cloud version of TeamCity is not impacted. The flaw was rectified in TeamCity version 2023.05.4. JetBrains also released a security patch plugin for TeamCity versions 8.0 and upwards, but stated it would not backport the fix.
JetBrains advised, “The security patch plugin will only address the RCE vulnerability described above. We always recommend users upgrade their servers to the latest version to benefit from many other security updates.” Servers that are accessible from the internet should be patched immediately or made inaccessible until the patch is installed.
Both JetBrains and Sonar have withheld technical details about the vulnerability for now. However, Sonar warned that the bug is easy to exploit and it is likely that exploitation in the wild will be observed.