JetBrains has released TeamCity 2024.03, addressing 26 security issues in its build management and continuous integration server, while also implementing measures to mitigate the risk of exploitation in malicious attacks. Although specifics of the security problems were not disclosed to protect users of older versions, the update resolves seven CVEs, notably CVE-2024-31136, which enables bypassing two-factor authentication. The patch also addresses medium-severity vulnerabilities such as an open redirect on the login page and cross-site scripting (XSS) bugs. Additionally, JetBrains introduced semi-automatic security updates, automatically downloading critical updates for admin approval. This follows a recent incident involving a botched disclosure of CVE-2024-27198, a critical flaw exploited shortly after patching due to miscommunication between Rapid7 and JetBrains, resulting in in-the-wild exploitation attempts.
Read more: https://www.securityweek.com/26-security-issues-patched-in-teamcity/