9.8

CVE-2023-42793

Warnung
Medienbericht
Exploit
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JetBrainsTeamcity Version < 2023.05.4

04.10.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

JetBrains TeamCity Authentication Bypass Vulnerability

Schwachstelle

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.98% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cve@jetbrains.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://www.jetbrains.com/privacy-security/issues-fixed/
Vendor Advisory
http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html
Third Party Advisory
Exploit
VDB Entry
https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793
Third Party Advisory
https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/
Vendor Advisory
https://www.rapid7.com/blog/post/2023/09/25/etr-cve-2023-42793-critical-authentication-bypass-in-jetbrains-teamcity-ci-cd-servers/
Third Party Advisory
Broken Link
https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/
Press/Media Coverage
https://www.sonarsource.com/blog/teamcity-vulnerability/
Third Party Advisory
Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-42793
US Government Resource