JetBrains is alerting customers to a critical security flaw in its TeamCity On-Premises continuous integration and continuous delivery (CI/CD) software that could be exploited by threat actors to take control of sensitive instances.
Vulnerability, tracked as CVE-2024-23917it has a CVSS score of 9.8 out of 10, indicative of its severity.
“The vulnerability could allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication controls and gain administrative control of that TeamCity server,” the company said.
The issue affects all versions of TeamCity On-Premises from 2017.1 to 2023.11.2. It is fixed in version 2023.11.3. An anonymous external security researcher was credited with discovering and reporting the flaw on January 19, 2024.
Users who are unable to update their servers to version 2023.11.3 can alternatively download a security patch plugin to apply fixes to the flaw.
“If your server is publicly accessible on the Internet and you are unable to immediately perform any of the above mitigation measures, we recommend that you make it temporarily inaccessible until the mitigation actions are complete,” JetBrains advised.
While there is no evidence that the vulnerability was misused, a similar flaw in the same product (CVE-2023-42793, CVSS score: 9.8) was actively exploited last year within days of the public disclosure by of multiple threat actors, Including ransomware gangs and state-sponsored groups affiliated with North Korea and Russia.