Multiple vulnerabilities in TeamCity
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-12843 CVE-2019-12844 CVE-2019-12845 |
| CWE-ID | CWE-74 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
TeamCity Web applications / CRM systems |
| Vendor | JetBrains s.r.o. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU31021
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12843
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.
MitigationInstall update from vendor's website.
Vulnerable software versionsTeamCity: 2018.2.1 - 2018.2.2
External linkshttp://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU31022
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12844
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.
MitigationInstall update from vendor's website.
Vulnerable software versionsTeamCity: 2018.2.1 - 2018.2.2
External linkshttp://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU31023
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12845
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3.
MitigationInstall update from vendor's website.
Vulnerable software versionsTeamCity: 2018.2.1 - 2018.2.2
External linkshttp://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
