#VU58010 Insecure Inherited Permissions in TeamCity


Published: 2021-11-08

Vulnerability identifier: #VU58010

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43201

CWE-ID: CWE-277

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TeamCity
Web applications / CRM systems

Vendor: JetBrains s.r.o.

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error that causes a newly created project to inherit settings from a deleted project.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TeamCity: 2017.1 - 2021.1.2

External links
http://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in JetBrains TeamCity