Skip to the content.

DIVD-2024-00009 - Authentication Bypass in JetBrains TeamCity

Our reference DIVD-2024-00009
Case lead Alwin Warringa
Researcher(s)
CVE(s)
Products
  • JetBrains TeamCity
Versions
  • All TeamCity On-Premises versions from 2017.1 through 2023.11.3
Recommendation Upgrade to the latest available version as soon as possible or apply the provided security patch
Patch status Released
Workaround Install the JetBrains-provided security patch.
Status Closed
Last modified 28 Mar 2024 14:12 CET

Summary

A critical security issue was recently identified in TeamCity On-Premises. If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform bypass authentication checks and gain administrative control of that TeamCity server.

Recommendations

JetBrains advises On-Prem users to upgrade to the latest available version as soon as possible or install the security patch. See the references for the download links. If you are compromised, DIVD advises you start your incident response process immediately.

What we are doing

DIVD is currently working to identify vulnerable instances and notify the owners of these systems.

Timeline

Date Description
04 Mar 2024 DIVD starts researching this vulnerability.
05 Mar 2024 DIVD found a good fingerprint method
07 Mar 2024 DIVD starts scanning the internet for vulnerable instances.
08 Mar 2024 DIVD starts notifying network owners with a vulnerable instance in their network.
28 Mar 2024 DIVD sent out a second round of notifications.
28 Mar 2024 Case closed.
gantt title DIVD-2024-00009 - Authentication Bypass in JetBrains TeamCity dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00009 - Authentication Bypass in JetBrains TeamCity (22 days) :2024-03-06, 2024-03-28 section Events DIVD starts researching this vulnerability. : milestone, 2024-03-04, 0d DIVD found a good fingerprint method : milestone, 2024-03-05, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-03-07, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-03-08, 0d DIVD sent out a second round of notifications. : milestone, 2024-03-28, 0d Case closed. : milestone, 2024-03-28, 0d

More information