Critical Alert: CVE-2024-23917 Exposes TeamCity to Unauthenticated Attacks

CVE-2024-23917

Recently, a critical security vulnerability, known as CVE-2024-23917, was identified within TeamCity On-Premises, JetBrains’ popular continuous integration and deployment system. This flaw, if exploited, could allow an unauthenticated attacker with HTTP(S) access to bypass authentication checks and seize administrative control over a TeamCity server. The implications of such an attack could be dire, affecting the integrity and security of the software development lifecycle in organizations relying on this tool.

Assigned a Common Vulnerability Scoring System (CVSS) score of 9.8, CVE-2024-23917 falls into the critical category, signaling a high risk of exploitability and impact. It exploits the weakness identified as CWE-288, an Authentication Bypass Using an Alternate Path or Channel, affecting all versions of TeamCity On-Premises from 2017.1 to 2023.11.2.

CVE-2024-23917

“If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,”  the company wrote.

Fortunately, TeamCity Cloud servers were patched in advance, and there have been no reported attacks, highlighting the effectiveness of proactive security measures. However, the widespread impact of this vulnerability on On-Premises installations requires immediate attention.

JetBrains has acted swiftly to address CVE-2024-23917 by releasing version 2023.11.3 of TeamCity On-Premises, which contains a fix for the vulnerability. Users are urged to update their servers to this latest version to protect their systems from potential exploitation. The update process is straightforward, with options for direct download or automatic updates within TeamCity, ensuring that all users can secure their environments with minimal disruption.

For those unable to update immediately to version 2023.11.3, JetBrains has also provided a lifeline in the form of a security patch plugin. This plugin can be applied to affected versions (TeamCity 2018.2+ | TeamCity 2017.1, 2017.2, and 2018.1) to mitigate the vulnerability, offering a temporary shield while planning for a more permanent upgrade.

JetBrains recommends that all users upgrade to the latest version of TeamCity On-Premises to benefit from comprehensive security improvements beyond the patch for CVE-2024-23917. For those with servers publicly accessible over the internet, taking immediate steps to mitigate risk is crucial, even if that means temporarily making servers inaccessible until updates or patches are applied.