JetBrains is alerting customers of a significant safety defect in its TeamCity, based on continuous integration and continuous deployment (CI/CD) software, which can be exploited to handle susceptible examples by actors.
The vulnerability tracked as the CVE-2024-23917 takes a CVSS rating of 9.8 out of 10, a sign of its severity.
The company said, “The vulnerability can enable an informal assailant with HTTP (s) to bypass the investigation of authentication until the TeamCity server and get the administrative control of that TeamCity server,” the company said.
The issue affects all Teamcity on-premises versions via 2017.1 through 2023.11.2. It is addressed in version 2023.11.3. An unnamed external security researcher has been credited with discovering and reporting defects on January 19, 2024.
Users who are unable to update their server to version 2023.11.3 can alternately download a safety patch plugin to apply the fix to the flaw.
“If your server is publicly accessible on the Internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily to make it inaccessible until mitigation actions are completed,” JetBrains advised.
While there is no evidence that the shortcoming has been abused in the wild, a similar flaw in the same product (CVE-2023-42793, CVSS Score: 9.8) came under active exploitation last year within days of Publish disclosure by multiple threat actors, including Ransomware Gangs and State-Sponsored Groups affiliated with North Korea and Russia.