JetBrains has patched 26 security issues in its TeamCity build management and continuous integration server, and it has taken steps to reduce the risk of vulnerabilities being exploited in malicious attacks.
TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”.
The company did reveal, however, that TeamCity 2024.03 patches seven CVEs, including CVE-2024-31136, a high-severity flaw that can be exploited to bypass two-factor authentication by providing a specially crafted URL parameter.
The list of patched vulnerabilities also includes medium-severity issues, including an open redirect on the login page, the ability of authenticated users with non-admin privileges to register other users with self-registration disabled, and server administrators being able to remove arbitrary files from the server.
The remaining security holes that have been assigned CVE identifiers are three medium-severity cross-site scripting (XSS) bugs, which typically allow arbitrary code execution if the victim can be tricked into clicking on a specially crafted link.
JetBrains also announced the introduction of semi-automatic security updates with the release of TeamCity 2024.03. With this feature, critical security updates are automatically downloaded when they become available, but an administrator still needs to approve their installation.
“This approach helps to keep your system fortified against emerging risks and to swiftly tackle major vulnerabilities,” the company told customers.
The semi-automatic updates and the company highlighting that it’s not disclosing any vulnerability details comes a few weeks after a botched disclosure that led to a critical flaw getting exploited in the wild shortly after it was patched.
The incident involved CVE-2024-27198, a critical flaw that can be exploited by remote, unauthenticated attackers to take complete control of a TeamCity server.
Due to miscommunication between Rapid7, whose researchers discovered the security hole, and JetBrains, details of CVE-2024-27198 were made public a few hours after the vendor announced fixes. The first in-the-wild exploitation attempts were seen on the same day.
Rapid7 was concerned that JetBrains would attempt to silently patch the vulnerability and the vendor was concerned that the cybersecurity firm would disclose details too quickly. JetBrains informed customers about patches without telling Rapid7, which decided to immediately disclose details.
Hundreds of vulnerable TeamCity instances were apparently compromised, including as part of ransomware attacks.
Related: Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies
Related: Recently Patched TeamCity Vulnerability Exploited to Hack Servers