Important Security Notice: XSS vulnerability allowing RCE
On July 24, 2019, a security researcher reported a security vulnerability in JetBrains TeamCity. The vulnerability allows cross-site scripting (XSS) on many pages, potentially making it possible to send an arbitrary HTTP request to the TeamCity server under the name of the currently logged-in user. The vulnerability affected TeamCity versions 2019.1 and 2019.1.1. It was fixed in TeamCity 2019.1.2.
What information was compromised
This security issue affected all TeamCity installations of versions 2019.1 and 2019.1.1, possibly allowing an unauthorized person to execute code remotely.
We do not have any information to confirm whether your particular TeamCity installation was compromised or not.
What actions we’ve taken
We resolved the issue as a regular XSS on July 18, 2019, and released the build of TeamCity with the fix on July 31, 2019. We are also adding automated tests to check for this type of vulnerabilities whenever changes are deployed to the codebase.
What actions you should take
Please upgrade to the latest build from our website.
Note: if you’re using a TeamCity version older than 2019.1, you’re not affected by this particular XSS. However, from a security point of view, upgrading to 2019.1.2 is still recommended because TeamCity 2019.1 contains other security fixes.
If you have any questions, please contact our Support. Please note that because of the nature of the vulnerability, we will not be able to disclose any details of how it can be exploited as this can affect other TeamCity installations.