SB2019100134 - Multiple vulnerabilities in TeamCity

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019100134

SB2019100134 - Multiple vulnerabilities in TeamCity

Published: October 1, 2019 Updated: August 8, 2020

Security Bulletin ID SB2019100134
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 17% Medium 67% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2019-15036)

The vulnerability allows a remote privileged user to execute arbitrary code.

An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could execute any command on the server machine. The issue was fixed in TeamCity 2018.2.5 and 2019.1.


2) Cross-site scripting (CVE-ID: CVE-2019-15037)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in JetBrains TeamCity 2018.2.4. It had several XSS vulnerabilities on the settings pages. The issues were fixed in TeamCity 2019.1.


3) Information disclosure (CVE-ID: CVE-2019-15035)

The vulnerability allows a remote privileged user to gain access to sensitive information.

An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could get access to potentially confidential server-level data. The issue was fixed in TeamCity 2018.2.5 and 2019.1.


4) Improper Certificate Validation (CVE-ID: CVE-2019-15042)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in JetBrains TeamCity 2018.2.4. It had no SSL certificate validation for some external https connections. This was fixed in TeamCity 2019.1.


5) Input validation error (CVE-ID: CVE-2019-15038)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity server was not using some security-related HTTP headers. The issue was fixed in TeamCity 2019.1.


6) Input validation error (CVE-ID: CVE-2019-15039)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1.


Remediation

Install update from vendor's website.

References