The bugs can be used to gain administrative control over TeamCity's on-premises service, allowing software supply chain attacks. Credit: MaxKabakov / Getty Images JetBrains is advising immediate patching of two new vulnerabilities affecting its TeamCity software, a CI/CD pipeline tool that can allow attackers to gain unauthenticated administrative access. Tracked under CVE-2024-27198 and CVE-2024-27199, the critical bugs have already been fixed within TeamCity cloud servers with an on-premises patch available with version 2023.11.4. “The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” JetBrains said in a blog post on the issue. “The vulnerabilities affect all TeamCity On-Premises versions through 2023.11.3.” TeamCity is a widely used tool for managing CI/CD pipelines, the continuous process of building, deploying, and testing software codes, adopted by a range of global brands including Tesla, McAfee, Samsung, Nvidia, HP, and Motorola. Critical server jacking bugs The bugs were first reported to JetBrains by Rapid7 as two new critical TeamCity on-premises flaws that could allow attackers to gain administrative control of the TeamCity server. They were subsequently assigned high CVSS base scores of 9.8/10 (CVE-2024-27198) and 7.5/10 (CVE-2024-27199). While both JetBrains and Rapid7 have yet to disclose the technical details of how exactly the vulnerabilities can be exploited, a full disclosure is expected shortly. “Rapid7 originally identified and reported these vulnerabilities to us and has chosen to adhere strictly to its own vulnerability disclosure policy,” JetBrains said in the post. “This means that their team will publish full technical details of these vulnerabilities and their replication steps within 24 hours of this notice.” The company added that it typically withholds technical details of vulnerabilities after a release to ensure effective mitigation but has been forced to urge customers to patch as Rapid7 stands to accelerate the timeline with technical disclosure. JetBrains confirmed that no TeamCity cloud servers were attacked till the time patches were applied. On-premise patches rolled out JetBrains has listed two possible options for users to mitigate their TeamCity on-premises servers against these vulnerabilities. As the standard option, users can update their servers to the latest 2023.11.4 version, either by downloading the update from a dedicated link or by using the automatic update option within TeamCity. Alternatively, as option two, users can apply a targeted security patch plugin which will only patch these vulnerabilities without the other components of the version update. The link to this plugin has been shared in the blog post. TeamCity is a crucial DevOps tool for software development which has been a popular APT target in recent times. It was reported that an RCE flaw in the tool was being actively used in 2023 by Midnight Blizzard, the notorious Russian APT behind the 2020 SolarWinds hack. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe