Important Security Notice: XSS vulnerability allowing RCE
On July 24, 2019, a security researcher reported a security vulnerability in JetBrains TeamCity. The vulnerability allows cross-site scripting (XSS) on many pages, potentially making it possible to send an arbitrary HTTP request to the TeamCity server under the name of the currently logged-in user. The vulnerability affected TeamCity versions 2019.1 and 2019.1.1. It was fixed in TeamCity 2019.1.2.
What information was compromised
This security issue affected all TeamCity installations of versions 2019.1 and 2019.1.1, possibly allowing an unauthorized person to execute code remotely.
We do not have any information to confirm whether your particular TeamCity installation was compromised or not.
What actions we’ve taken
We resolved the issue as a regular XSS on July 18, 2019, and released the build of TeamCity with the fix on July 31, 2019. We are also adding automated tests to check for this type of vulnerabilities whenever changes are deployed to the codebase.
What actions you should take
Please upgrade to the latest build from our website.
Note: if you’re using a TeamCity version older than 2019.1, you’re not affected by this particular XSS. However, from a security point of view, upgrading to 2019.1.2 is still recommended because TeamCity 2019.1 contains other security fixes.
If you have any questions, please contact our Support. Please note that because of the nature of the vulnerability, we will not be able to disclose any details of how it can be exploited as this can affect other TeamCity installations.
Subscribe to Blog updates
Thanks, we've got you!
TeamCity 2023.11: Matrix Build, Build Cache, and More
TeamCity 2023.11 is out! With this release, we’re introducing a number of highly anticipated features, including matrix builds, build caches, EC2 improvements, and more. Read on to learn more about the new features.
Meet us at AWS re:Invent 2023
TeamCity is taking part in AWS re:Invent this week! Stop by our booth to say hello and meet the team.
Power Up Your Pipelines with New Agent Types Available in TeamCity Cloud
We’re introducing new types of JetBrains build agents to TeamCity Cloud. Read on to find out more about them!