JetBrains is advising instant patching of two new vulnerabilities affecting its TeamCity software program, a CI/CD pipeline software that may permit attackers to achieve unauthenticated administrative entry.
Tracked beneath CVE-2024-27198 and CVE-2024-27199, the vital bugs have already been mounted inside TeamCity cloud servers with an on-premises patch accessible with model 2023.11.4.
“The vulnerabilities might allow an unauthenticated attacker with HTTP(S) entry to a TeamCity server to bypass authentication checks and acquire administrative management of that TeamCity server,” JetBrains mentioned in a weblog put up on the difficulty. “The vulnerabilities have an effect on all TeamCity On-Premises variations via 2023.11.3.”
TeamCity is a broadly used software for managing CI/CD pipelines, the continual means of constructing, deploying, and testing software program codes, adopted by a spread of worldwide manufacturers together with Tesla, McAfee, Samsung, Nvidia, HP, and Motorola.
Vital server jacking bugs
The bugs had been first reported to JetBrains by Rapid7 as two new vital TeamCity on-premises flaws that might permit attackers to achieve administrative management of the TeamCity server. They had been subsequently assigned excessive CVSS base scores of 9.8/10 (CVE-2024-27198) and seven.5/10 (CVE-2024-27199).
Whereas each JetBrains and Rapid7 have but to reveal the technical particulars of how precisely the vulnerabilities could be exploited, a full disclosure is predicted shortly.
