TeamCity: Incorrect assignment of rights allows rights to be extended
A security vulnerability in TeamCity allows attackers to extend their rights. An update is available to correct the error.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Attackers can abuse a security vulnerability in TeamCity to extend their rights. The developers at JetBrains have released an updated version of TeamCity to correct the underlying flaw.
Details are scarce; the manufacturer has not yet provided any further information or details on the vulnerability. The CVE entry only briefly describes: "In JetBrains TeamCity prior to version 2024.07.1, privilege escalation may occur due to incorrect directory permissions" (CVE-2024-43114, CVSS 7.5, risk"high").
Update TeamCity quickly
Due to the severity and high-risk classification of the vulnerability, IT managers should update their JetBrains TeamCity installations to the new version as soon as possible. Version 2024.07.1 does not yet appear on the JetBrains website for fixed security bugs. However, the changelog for the updated TeamCity version mentions a total of six vulnerabilities that the update fixes.
TeamcIty 2024.07.1 is available for download on the JetBrains product website. In addition to the security-related errors, it also corrects various other bugs, which are listed in the changelog.
IT security researchers often find vulnerabilities in TeamCity. In March, for example, the developers had to use updated software to plug a security hole that could give attackers full control over TeamCity. No prior authentication was required for this.
(dmk)