SB2019070311 - Multiple vulnerabilities in TeamCity

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019070311

SB2019070311 - Multiple vulnerabilities in TeamCity

Published: July 3, 2019 Updated: July 17, 2020

Security Bulletin ID SB2019070311
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-12843)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.


2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-12844)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.


3) Input validation error (CVE-ID: CVE-2019-12845)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3.


Remediation

Install update from vendor's website.

References