DIVD-2024-00006 - Authentication Bypass in JetBrains TeamCity
| Our reference | DIVD-2024-00006 |
| Case lead | Alwin Warringa |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade to the latest available version as soon as possible or apply the provided security patch |
| Patch status | Released |
| Workaround | Install the JetBrains-provided security patch. |
| Status | Closed |
| Last modified | 28 Mar 2024 14:10 CET |
Summary
A critical security issue was recently identified in TeamCity On-Premises. If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform bypass authentication checks and gain administrative control of that TeamCity server.
Recommendations
JetBrains advises On-Prem users to upgrade to the latest available version as soon as possible or install the security patch. See the references for the download links.
What we are doing
DIVD is currently working to identify vulnerable instances and notify the owners of these systems.
Timeline
| Date | Description |
|---|---|
| 08 Feb 2024 | DIVD starts researching this vulnerability. |
| 13 Feb 2024 | DIVD found a good fingerprint method |
| 14 Feb 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 16 Feb 2024 | DIVD starts notifying network owners with a vulnerable instance in their network. |
| 28 Mar 2024 | DIVD sent out a second round of notifications. |
| 28 Mar 2024 | Case closed. |
gantt
title DIVD-2024-00006 - Authentication Bypass in JetBrains TeamCity
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00006 - Authentication Bypass in JetBrains TeamCity (49 days) :2024-02-08, 2024-03-28
section Events
DIVD starts researching this vulnerability. : milestone, 2024-02-08, 0d
DIVD found a good fingerprint method : milestone, 2024-02-13, 0d
DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-02-14, 0d
DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-02-16, 0d
DIVD sent out a second round of notifications. : milestone, 2024-03-28, 0d
Case closed. : milestone, 2024-03-28, 0d