TeamCity Patches 26 Security Flaws, Implements Semi-Automatic Updates

March 29, 2024

JetBrains has recently rectified 26 security vulnerabilities in its TeamCity build management and continuous integration server. This was done in an effort to mitigate the risk of these vulnerabilities being exploited for malicious purposes. The new version of TeamCity, 2024.03, which was launched on March 27, incorporates these fixes. However, JetBrains has refrained from divulging the specifics of these security-related issues in order to safeguard clients who continue to use older versions of TeamCity.

The company did share that TeamCity 2024.03 rectifies seven CVEs, including CVE-2024-31136, a high-severity flaw that can be exploited to bypass two-factor authentication by supplying a specially crafted URL parameter. The list of patched vulnerabilities also encompasses medium-severity issues, such as an open redirect on the login page, the ability for authenticated users with non-admin privileges to register other users even when self-registration is disabled, and server administrators being able to delete arbitrary files from the server.

The remaining security gaps that have been assigned CVE identifiers are three medium-severity cross-site scripting (XSS) bugs. These bugs typically enable arbitrary code execution if the victim can be deceived into clicking on a specially crafted link.

JetBrains has also introduced semi-automatic security updates with the release of TeamCity 2024.03. Under this feature, critical security updates are automatically downloaded when they become available, but an administrator still needs to approve their installation. “This approach helps to keep your system fortified against emerging risks and to swiftly tackle major vulnerabilities,” the company informed its customers.

The introduction of semi-automatic updates and the company's decision not to disclose any vulnerability details comes in the wake of a poorly handled disclosure that resulted in a critical flaw being exploited in the wild shortly after it was patched. The incident involved CVE-2024-27198, a critical flaw that can be exploited by remote, unauthenticated attackers to gain complete control of a TeamCity server. Due to a miscommunication between Rapid7, whose researchers found the security hole, and JetBrains, details of CVE-2024-27198 were made public a few hours after the vendor announced fixes. Exploitation attempts in the wild were observed on the same day. Rapid7 was worried that JetBrains would try to patch the vulnerability quietly, and the vendor was worried that the cybersecurity firm would disclose details too quickly. JetBrains informed customers about patches without informing Rapid7, which decided to immediately disclose details. Hundreds of vulnerable TeamCity instances were reportedly compromised, including during ransomware attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.