Two new security vulnerabilities have been uncovered in the Jetbrains Teamcity On-Premises software, which could potentially allow attackers to gain control of affected systems.
The vulnerabilities, identified as CVE-2024-27198 with a CVSS score of 9.8 and CVE-2024-27199 with a score of 7.3, impact all versions of TeamCity On-Premises up to 2023.11.3.
According to a statement from Jetbrains, these vulnerabilities could allow an unauthenticated attacker to access the Teamcity server via HTTP(s) and potentially gain administrative control over the server.
Experts from Rapid7 have pointed out that compromising the Teamcity server could enable an attacker to take full control of projects, builds, agents, and artifacts within Teamcity, making it a potential tool for supply chain attacks.
CVE-2024-27199 specifically involves authentication bypass issues, allowing the attacker to circumvent access restrictions and potentially access or modify files that are typically restricted, leading to unauthorized access to sensitive data.