JetBrains is advising rapid patching of two new vulnerabilities affecting its TeamCity software program, a CI/CD pipeline software that may enable attackers to achieve unauthenticated administrative entry.
Tracked beneath CVE-2024-27198 and CVE-2024-27199, the essential bugs have already been mounted inside TeamCity cloud servers with an on-premises patch out there with model 2023.11.4.
“The vulnerabilities could allow an unauthenticated attacker with HTTP(S) entry to a TeamCity server to bypass authentication checks and acquire administrative management of that TeamCity server,” JetBrains stated in a weblog submit on the problem. “The vulnerabilities have an effect on all TeamCity On-Premises variations by way of 2023.11.3.”
TeamCity is a extensively used software for managing CI/CD pipelines, the continual means of constructing, deploying, and testing software program codes, adopted by a spread of worldwide manufacturers together with Tesla, McAfee, Samsung, Nvidia, HP, and Motorola.
Vital server jacking bugs
The bugs had been first reported to JetBrains by Rapid7 as two new essential TeamCity on-premises flaws that would enable attackers to achieve administrative management of the TeamCity server. They had been subsequently assigned excessive CVSS base scores of 9.8/10 (CVE-2024-27198) and seven.5/10 (CVE-2024-27199).
Whereas each JetBrains and Rapid7 have but to reveal the technical particulars of how precisely the vulnerabilities will be exploited, a full disclosure is anticipated shortly.
