TeamCity Patches 26 Security Flaws, Implements Semi-Automatic Updates

March 29, 2024

JetBrains has recently rectified 26 security vulnerabilities in its TeamCity build management and continuous integration server. This was done in an effort to mitigate the risk of these vulnerabilities being exploited for malicious purposes. The new version of TeamCity, 2024.03, which was launched on March 27, incorporates these fixes. However, JetBrains has refrained from divulging the specifics of these security-related issues in order to safeguard clients who continue to use older versions of TeamCity.

The company did share that TeamCity 2024.03 rectifies seven CVEs, including CVE-2024-31136, a high-severity flaw that can be exploited to bypass two-factor authentication by supplying a specially crafted URL parameter. The list of patched vulnerabilities also encompasses medium-severity issues, such as an open redirect on the login page, the ability for authenticated users with non-admin privileges to register other users even when self-registration is disabled, and server administrators being able to delete arbitrary files from the server.

The remaining security gaps that have been assigned CVE identifiers are three medium-severity cross-site scripting (XSS) bugs. These bugs typically enable arbitrary code execution if the victim can be deceived into clicking on a specially crafted link.

JetBrains has also introduced semi-automatic security updates with the release of TeamCity 2024.03. Under this feature, critical security updates are automatically downloaded when they become available, but an administrator still needs to approve their installation. “This approach helps to keep your system fortified against emerging risks and to swiftly tackle major vulnerabilities,” the company informed its customers.

The introduction of semi-automatic updates and the company's decision not to disclose any vulnerability details comes in the wake of a poorly handled disclosure that resulted in a critical flaw being exploited in the wild shortly after it was patched. The incident involved CVE-2024-27198, a critical flaw that can be exploited by remote, unauthenticated attackers to gain complete control of a TeamCity server. Due to a miscommunication between Rapid7, whose researchers found the security hole, and JetBrains, details of CVE-2024-27198 were made public a few hours after the vendor announced fixes. Exploitation attempts in the wild were observed on the same day. Rapid7 was worried that JetBrains would try to patch the vulnerability quietly, and the vendor was worried that the cybersecurity firm would disclose details too quickly. JetBrains informed customers about patches without informing Rapid7, which decided to immediately disclose details. Hundreds of vulnerable TeamCity instances were reportedly compromised, including during ransomware attacks.

Related News

• Rise in Ransomware, Cryptomining, and RAT Attacks Due to TeamCity Vulnerability
• BianLian Threat Actors Utilize JetBrains TeamCity Vulnerabilities in Ransomware Assaults
• CISA Highlights Active Exploitation of JetBrains TeamCity Software Vulnerability
• Widespread Exploitation of Critical TeamCity Flaw to Create Admin Accounts
• Massive Exploitation of TeamCity Auth Bypass Vulnerability Leads to Creation of Admin Accounts

Latest News

• Google Patches Chrome Zero-Days Exposed at Pwn2Own 2024
• CISA Reports Exploitation of Second SharePoint Flaw Revealed at Pwn2Own
• Apple Releases Details on Security Bug Allowing Remote Code Execution
• German Cybersecurity Authority Raises Alarm Over 17K Vulnerable Microsoft Exchange Servers
• ShadowRay: Hackers Exploit Unpatched Ray Framework Vulnerability to Breach Servers