Summary
- A critical security vulnerability was identified in TeamCity On-Premises (initially discovered and reported by an external security researcher on January 19, 2024).
- This critical security vulnerability has been assigned the CVE identifier CVE-2024-23917 and presents the weakness CWE-288.
- The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
- The vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2.
- It has been fixed in version 2023.11.3.
- We encourage all users to update their servers to the latest version.
- For those who are unable to do so, we have released a security patch plugin (details below).
- TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked.
Details
A new critical security vulnerability, first identified on January 19, 2024, has been discovered in TeamCity On-Premises. If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
All versions of TeamCity On-Premises from 2017.1 through 2023.11.2 are affected by this critical security vulnerability. It has been assigned the CVE identifier CVE-2024-23917 and presents the weakness CWE-288 (Authentication Bypass Using an Alternate Path or Channel). TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked.
We have fixed this vulnerability in version 2023.11.3 and have already notified our customers. We will also release additional technical details of the vulnerability shortly. In the meantime, we strongly advise all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability.
To update your server, download the latest version (2023.11.3) or use the automatic update option within TeamCity.
If you are unable to update your server to version 2023.11.3, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using the link below and installed on TeamCity versions 2017.1 through 2023.11.2. It will patch the vulnerability described above.
Security patch plugin: TeamCity 2018.2+ | TeamCity 2017.1, 2017.2, and 2018.1
See the TeamCity plugin installation instructions for information on installing the plugin.
The security patch plugin will only address the vulnerability described above. We always recommend upgrading your server to the latest version to benefit from many other security updates.
If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed.
A complete list of recently fixed security issues is available on the Fixed security issues page on the JetBrains website. You can also subscribe to receive notifications about fixes in all JetBrains products via email.
Frequently asked questions
Which versions are affected?
All versions from 2017.1 through 2023.11.2 are affected by this issue. The issue has been patched in 2023.11.3. We recommend upgrading as soon as possible.
Is TeamCity Cloud affected?
TeamCity Cloud servers have already been patched and we have verified that they weren’t attacked.
Is it possible to backport the fix to our version?
We are not considering backports at this point. Please keep in mind that the plugin we have released mitigates this issue and is compatible with TeamCity 2017.1+.
Support
If you have any questions regarding this issue or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.