JetBrains has issued a critical authentication bypass warning for build management server TeamCity, stating that it could be remotely exploited to execute arbitrary code.
Tracked as CVE-2024-23917 (CVSS score of 9.8), the vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2 and was found on January 19, 2024. As stated by JetBrains, “if exploited, the vulnerability may allow an unauthorized attacker with HTTP(S) access to a TeamCity server to evade authentication procedures and obtain administrative control of that TeamCity server.”
The release of TeamCity On-Premise version 2023.11.3 resolved the issue. JetBrains claims not to have seen any in-the-wild exploitation of the bug and has already patched TeamCity cloud servers.