Critical Security Issue Affecting TeamCity On-Premises – Update to 2023.05.4 Now
- A critical security issue was recently identified in TeamCity On-Premises (initially discovered and reported to us by the team at Sonar).
- This critical security vulnerability has been assigned the CVE identifier CVE-2023-42793 and presents the weakness CWE-288.
- The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server.
- This vulnerability has been fixed in version 2023.05.4.
- We encourage all users to update their servers to the latest version.
- For those who are unable to do so, we have released a security patch plugin (details below).
A critical security issue was recently identified in TeamCity On-Premises. If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server.
All versions of TeamCity On-Premises are affected by this critical security vulnerability. It has been assigned the CVE identifier CVE-2023-42793 and presents the weakness CWE-288 (Authentication Bypass Using an Alternate Path or Channel). This issue does not impact TeamCity Cloud, and we have already upgraded TeamCity Cloud servers to the latest version.
We have fixed this vulnerability in version 2023.05.4, and have already notified our customers. We will also be releasing additional technical details of the vulnerability soon. In the meantime, we strongly advise all users of TeamCity On-Premises to update their servers to 2023.05.4 to mitigate the issue.
If you are unable to update your server to version 2023.05.4, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on TeamCity 8.0+. It will patch the specific RCE vulnerability described above. For TeamCity 2019.2 and later, the plugin can be enabled without restarting the TeamCity server. For versions older than 2019.2, a server restart is required after the plugin has been installed.
See TeamCity plugin installation instructions for information on installing these plugins.
Important: The security patch plugin will only address the RCE vulnerability described above. We always recommend users upgrade their servers to the latest version to benefit from many other security updates.
If your server is publicly accessible over the internet and you are unable to perform one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed.
A complete list of recently fixed security issues is available on the Fixed security issues page on the JetBrains website. You can also subscribe to receive notifications about fixes in all JetBrains products via email.
Frequently asked questions
Which versions are affected?
All versions prior to the patched version (2023.05.4) are affected by the issue. We recommend upgrading as soon as possible.
Is TeamCity Cloud affected?
This issue does not impact TeamCity Cloud, and we have already upgraded TeamCity Cloud servers to the latest version.
Is it possible to backport the fix to our version?
We are not considering backports at this point. Please keep in mind that the plugin we have released mitigates this issue and is compatible with TeamCity 8.0+.
If you have any questions regarding this issue or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.
Subscribe to Blog updates
Thanks, we've got you!
TeamCity 2023.11: Matrix Build, Build Cache, and More
TeamCity 2023.11 is out! With this release, we’re introducing a number of highly anticipated features, including matrix builds, build caches, EC2 improvements, and more. Read on to learn more about the new features.
Meet us at AWS re:Invent 2023
TeamCity is taking part in AWS re:Invent this week! Stop by our booth to say hello and meet the team.
Power Up Your Pipelines with New Agent Types Available in TeamCity Cloud
We’re introducing new types of JetBrains build agents to TeamCity Cloud. Read on to find out more about them!