![]() We fixed the issue in the 2023.05.x branch. We received the report from the Sonar team. We’d like to thank the Sonar team for discovering the issue and their collaboration on the public announcement. Both the Sonar and TeamCity teams published blog posts about the discovered vulnerabilities. Īfter that, the issue was publicly announced on September 21, 2023. ![]() We then notified TeamCity Enterprise customers about the issue, encouraging them to update their servers to the latest version, 2023.05.4, which can be found here. Thanks to the plugin, any customers who were unable to update to the latest TeamCity version could still apply the fix. We also created a plugin for older TeamCity versions (8.0+). On September 18, 2023, we released version 2023.05.4 that contained a fix for the issue. We then proceeded with handling the issue. Please refer to the Sonar blog post for technical details about how the issue can be reproduced. We confirmed it to be a major security issue and stated that we had reproduced the issue and prepared a fix for it. On September 14, 2023, we reported back to Sonar. We confirmed receiving the report on the same day and proceeded with the internal investigation. If abused, the flaw could enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server. On September 6, 2023, we received a report from Sonar regarding a critical vulnerability issue identified in TeamCity On-Premises. We notified all TeamCity On-Premises customers about the vulnerability.We created a plugin that works for older TeamCity versions (8.0+) and recommended installing it to all customers who could not upgrade quickly enough.The TeamCity team released the 2023.05.4 fix for the issue.A critical vulnerability issue for TeamCity On-Premises was discovered by the Sonar team.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |