CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-23917

CVSS 9.8v3.1pub. 2024-02-06upd. 2024-11-21

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

🤖 AI Analysis
How it works

The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path) and CWE-306 (Missing Authentication for Critical Function) indicates that the application does not require proper authentication for at least one critical function or provides an alternative access path that bypasses identity control mechanisms. An unauthenticated attacker can remotely exploit this flaw over the network to gain access to protected TeamCity server resources. Consequently, arbitrary code execution on the CI/CD server is possible.

Impact

An attacker can gain full control over the TeamCity server without any credentials by executing arbitrary code (RCE), which may lead to CI/CD pipeline compromise, theft of secrets, source code data, and further lateral movement within the organization's infrastructure.

Mitigation & patch

JetBrains TeamCity must be immediately updated to version 2023.11.3 or later. Detailed information about available patches is available in the vendor's references at https://www.jetbrains.com/privacy-security/issues-fixed/

Who is affected

JetBrains TeamCity in all versions before 2023.11.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jetbrains Teamcity

    APP
    Jetbrains
    < 2023.11.3
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth BypassCI/CD
CWE
References

Related vulnerabilities

CVE-2024-27198CRITICAL9.8⚠ KEVPL ✓ten sam produkt

JetBrains TeamCity — Authentication Bypass umożliwiający działania administracyjne

CVE-2023-42793CRITICAL9.8⚠ KEVten sam produkt

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

CVE-2023-34218CRITICAL9.1ten sam produkt

In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possibl...

CVE-2022-24331CRITICAL9.8ten sam produkt

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.

CVE-2022-24340CRITICAL9.8ten sam produkt

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.