CVE-2023-42793: Critical Authentication Bypass in JetBrains TeamCity CI/CD Servers

Last updated at Mon, 02 Oct 2023 20:31:32 GMT

On September 20, 2023, JetBrains disclosed CVE-2023-42793, a critical authentication bypass vulnerability in on-premises instances of their TeamCity CI/CD server. Successful exploitation of CVE-2023-42793 allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution attack and gain administrative control of the server — making the vulnerability a potential supply chain attack vector.

As of September 25, 2023, Rapid7 is not aware of in-the-wild exploitation of CVE-2023-42793. We still recommend, however, that TeamCity customers upgrade to the fixed version (2023.05.4) immediately, or else apply one of the vulnerability-specific patches outlined in the JetBrains advisory. Customers who are unable to upgrade or apply a targeted fix for CVE-2023-42793 should consider taking the server offline until the vulnerability can be mitigated.

Rapid7 has a full technical analysis of CVE-2023-42793 in AttackerKB. Our team has confirmed the vulnerability is trivially exploitable without authentication.

Affected Products

CVE-2023-42793 affects all on-prem versions of JetBrains TeamCity prior to 2023.05.4. TeamCity Cloud is not affected, and according to JetBrains, TeamCity Cloud servers have already been upgraded to the latest version.

Mitigation Guidance

JetBrains notes in their advisory that vulnerability-specific security patch plugins (i.e., hot fixes) are available as a temporary workaround for TeamCity customers who are not able to upgrade to 2023.05.4. The plugins are supported on TeamCity 8.0+ and will mitigate CVE-2023-42793 specifically, but will not address any other security issues or bugs that are included in the full 2023.05.4 upgrade.

Security patch plugins:

• TeamCity 2018.2 to 2023.05.3
• TeamCity 8.0 to 2018.1
  

For TeamCity 2019.2 and later, the plugin can be enabled without restarting the TeamCity server. For versions older than 2019.2, a server restart is required after the plugin has been installed. TeamCity customers should refer to the JetBrains advisory on CVE-2023-42793 for the latest information.

Rapid7 strongly recommends upgrading to the fixed version of the software (2023.05.4) as soon as possible rather than relying solely on workarounds.

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-42793 with a remote vulnerability check in the September 25 content release.

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-42793 on Windows systems with an authenticated vulnerability check targeted for today’s (September 27th) content release.

Updates

October 2, 2023: CVE-2023-42793 is reportedly being exploited in the wild.