A critical authentication bypass vulnerability was identified in TeamCity On-Premises servers. The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
A new critical security vulnerability has been discovered in TeamCity On-Premises. It has been assigned the CVE identifier CVE-2024-23917, that presents the weakness CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and can be exploited in remote code execution attacks that don’t require user interaction. All versions of TeamCity On-Premises from 2017.1 through 2023.11.2 are affected by this critical security vulnerability. TeamCity Cloud servers have already been patched. It is strongly advised all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability. Users who cannot immediately upgrade can also use a security patch plugin to secure servers running TeamCity 2018.2+ and TeamCity 2017.1, 2017.2, and 2018.1.
Before installation of the software, please visit the software vendor web-site for more details.
Download the latest version (2023.11.3) or use the automatic update option within TeamCity.
The information provided herein is on an “as is” basis, without warranty of any kind.