On September 6, 2023, a critical TeamCity On-Premises vulnerability issue (CVE identifier CVE-2023-42793) was discovered by the Sonar team. TeamCity Cloud was not affected.
What the vulnerability is about
An unauthenticated attacker who has HTTP(S) access to a TeamCity server can exploit this vulnerability to launch a remote code execution (RCE) attack, ultimately gaining complete administrative control over the server.
Vulnerability exploitation
Following our initial public statement and the post-mortem, we are aware that some attackers have been attempting to exploit the discovered vulnerability. To mitigate this issue, we strongly recommend that our customers update their servers to version 2023.05.4. For those users who cannot update their server quickly, we also released a plugin that can be used as a workaround.
If you haven’t updated your TeamCity server yet, please refer to the following links:
- Download the latest version (2023.05.4) or use the automatic update within TeamCity.
- Security patch plugin: for TeamCity 2018.2 to 2023.05.3 | for TeamCity 8.0 to 2018.1.
Hardening your TeamCity server: best practices
Here are some additional steps you can take to harden the security of your build pipelines. This includes regularly updating your TeamCity server, using strong credentials and secret management tools, predefined roles, and per-project authorization.
It is not recommended to enable Guest Login, put sensitive data in artifacts, or blindly build public pull requests.
For the full list of general best practices that can help you harden your TeamCity server security, please read this blog post: Hardening Your TeamCity Server.
We are here for you
If you have any concerns or questions about the CVE-2023-42793 vulnerability, please contact the TeamCity Support team by submitting a ticket.