JetBrains issued a warning about a critical authentication bypass vulnerability in TeamCity, a widely-used build management server, which could be exploited remotely for arbitrary code execution. Tracked as CVE-2024-23917 with a CVSS score of 9.8, the flaw affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2 and was discovered on January 19, 2024. Exploiting the vulnerability could allow an unauthenticated attacker with HTTP(S) access to gain administrative control of the server. JetBrains released TeamCity On-Premise version 2023.11.3 to address the issue and also provided a security patch plugin for users unable to update their servers. TeamCity servers should be updated immediately, and those publicly accessible but unpatchable should be taken offline until mitigations are applied.

Read more: https://www.securityweek.com/jetbrains-patches-critical-authentication-bypass-in-teamcity/