CVE-2023-42793 Vulnerability in TeamCity: An Update
What the vulnerability is about
An unauthenticated attacker who has HTTP(S) access to a TeamCity server can exploit this vulnerability to launch a remote code execution (RCE) attack, ultimately gaining complete administrative control over the server.
Following our initial public statement and the post-mortem, we are aware that some attackers have been attempting to exploit the discovered vulnerability. To mitigate this issue, we strongly recommend that our customers update their servers to version 2023.05.4. For those users who cannot update their server quickly, we also released a plugin that can be used as a workaround.
If you haven’t updated your TeamCity server yet, please refer to the following links:
- Download the latest version (2023.05.4) or use the automatic update within TeamCity.
- Security patch plugin: for TeamCity 2018.2 to 2023.05.3 | for TeamCity 8.0 to 2018.1.
Hardening your TeamCity server: best practices
Here are some additional steps you can take to harden the security of your build pipelines. This includes regularly updating your TeamCity server, using strong credentials and secret management tools, predefined roles, and per-project authorization.
It is not recommended to enable Guest Login, put sensitive data in artifacts, or blindly build public pull requests.
For the full list of general best practices that can help you harden your TeamCity server security, please read this blog post: Hardening Your TeamCity Server.
We are here for you
If you have any concerns or questions about the CVE-2023-42793 vulnerability, please contact the TeamCity Support team by submitting a ticket.
Subscribe to Blog updates
Thanks, we've got you!
TeamCity 2023.11: Matrix Build, Build Cache, and More
TeamCity 2023.11 is out! With this release, we’re introducing a number of highly anticipated features, including matrix builds, build caches, EC2 improvements, and more. Read on to learn more about the new features.
Meet us at AWS re:Invent 2023
TeamCity is taking part in AWS re:Invent this week! Stop by our booth to say hello and meet the team.
Power Up Your Pipelines with New Agent Types Available in TeamCity Cloud
We’re introducing new types of JetBrains build agents to TeamCity Cloud. Read on to find out more about them!