JetBrains Teamcity
Known Exploited JetBrains Teamcity Vulnerabilities
The following JetBrains Teamcity vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| JetBrains TeamCity Authentication Bypass Vulnerability | JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. CVE-2024-27198 | March 7, 2024 |
| JetBrains TeamCity Authentication Bypass Vulnerability | JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server. CVE-2023-42793 | October 4, 2023 |
By the Year
In 2024 there have been 9 vulnerabilities in JetBrains Teamcity with an average score of 6.5 out of ten. Last year Teamcity had 35 security vulnerabilities published. Right now, Teamcity is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.14.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 9 | 6.50 |
| 2023 | 35 | 6.36 |
| 2022 | 29 | 6.64 |
| 2021 | 37 | 6.52 |
| 2020 | 18 | 5.84 |
| 2019 | 20 | 6.48 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Teamcity vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Teamcity Security Vulnerabilities
In JetBrains TeamCity before 2024.03 xSS was possible
CVE-2024-31138
5.4 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings
XSS
In JetBrains TeamCity before 2024.03 reflected XSS was possible
CVE-2024-31137
6.1 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration
XSS
In JetBrains TeamCity before 2024.03 open redirect was possible on the login page
CVE-2024-31135
6.1 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 open redirect was possible on the login page
Open Redirect
In JetBrains TeamCity before 2023.11.4 authentication bypass
CVE-2024-27198
9.8 - Critical
- March 04, 2024
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
In JetBrains TeamCity before 2023.11.3 path traversal
CVE-2024-24942
5.3 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives
Directory traversal
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
CVE-2024-24938
5.3 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
Directory traversal
In JetBrains TeamCity before 2023.11.2 stored XSS
CVE-2024-24937
5.4 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible
XSS
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed
CVE-2024-24936
5.3 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
CVE-2024-23917
9.8 - Critical
- February 06, 2024
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Missing Authentication for Critical Function
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible
CVE-2023-50870
8.8 - High
- December 15, 2023
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible
Session Riding
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration
CVE-2023-43566
5.4 - Medium
- September 19, 2023
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration
XSS
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
CVE-2023-42793
9.8 - Critical
- September 19, 2023
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Authentication Bypass Using an Alternate Path or Channel
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration
CVE-2023-41250
6.1 - Medium
- August 25, 2023
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration
XSS
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step
CVE-2023-41249
6.1 - Medium
- August 25, 2023
In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step
XSS
In JetBrains TeamCity before 2023.05.3 stored XSS was possible during Cloud Profiles configuration
CVE-2023-41248
5.4 - Medium
- August 25, 2023
In JetBrains TeamCity before 2023.05.3 stored XSS was possible during Cloud Profiles configuration
XSS
In JetBrains TeamCity before 2023.05.2 reflected XSS
CVE-2023-39175
6.1 - Medium
- July 25, 2023
In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible
XSS
In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible
CVE-2023-39174
7.5 - High
- July 25, 2023
In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via integration with issue trackers
ReDoS
In JetBrains TeamCity before 2023.05.2 a token with limited permissions could be used to gain full account access
CVE-2023-39173
8.8 - High
- July 25, 2023
In JetBrains TeamCity before 2023.05.2 a token with limited permissions could be used to gain full account access
Incorrect Privilege Assignment
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations
CVE-2023-38062
6.5 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations
In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible
CVE-2023-38061
5.4 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible
XSS
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log
CVE-2023-38067
6.5 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2023.05.1 reflected XSS
CVE-2023-38066
6.1 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads
XSS
In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible
CVE-2023-38065
5.4 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible
XSS
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log
CVE-2023-38064
6.5 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible
CVE-2023-38063
5.4 - Medium
- July 12, 2023
In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible
XSS
JetBrains TeamCity 8 and 9 before 9.0.2 allows bypass of account-creation restrictions via a crafted request because the required request data can be deduced by reading HTML and JavaScript files
CVE-2015-1313
6.5 - Medium
- June 29, 2023
JetBrains TeamCity 8 and 9 before 9.0.2 allows bypass of account-creation restrictions via a crafted request because the required request data can be deduced by reading HTML and JavaScript files that are returned to the web browser after an initial unauthenticated request.
forced browsing
In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible
CVE-2023-34226
6.1 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible
XSS
In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page was possible
CVE-2023-34225
5.4 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page was possible
XSS
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks
CVE-2023-34227
7.5 - High
- May 31, 2023
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks
Exposed Dangerous Method or Function
In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible
CVE-2023-34224
4.8 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible
Open Redirect
In JetBrains TeamCity before 2023.05 parameters of the "password" type
CVE-2023-34223
5.3 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor URL was possible
CVE-2023-34222
6.1 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor URL was possible
XSS
In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection page was possible
CVE-2023-34221
5.4 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection page was possible
XSS
In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status Publisher window was possible
CVE-2023-34220
5.4 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status Publisher window was possible
XSS
In JetBrains TeamCity before 2023.05 improper permission checks
CVE-2023-34219
4.3 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API
AuthZ
In JetBrains TeamCity before 2023.05 bypass of permission checks
CVE-2023-34218
9.8 - Critical
- May 31, 2023
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible
AuthZ
In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection page was possible
CVE-2023-34229
5.4 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection page was possible
XSS
In JetBrains TeamCity before 2023.05 authentication checks were missing 2FA was not checked for some sensitive account actions
CVE-2023-34228
6.5 - Medium
- May 31, 2023
In JetBrains TeamCity before 2023.05 authentication checks were missing 2FA was not checked for some sensitive account actions
Use of Single-factor Authentication
In JetBrains TeamCity before 2022.10.3 stored XSS on the SSH keys page was possible
CVE-2022-48428
5.4 - Medium
- March 27, 2023
In JetBrains TeamCity before 2022.10.3 stored XSS on the SSH keys page was possible
XSS
In JetBrains TeamCity before 2022.10.3 stored XSS on Pending changes and Changes tabs was possible
CVE-2022-48427
5.4 - Medium
- March 27, 2023
In JetBrains TeamCity before 2022.10.3 stored XSS on Pending changes and Changes tabs was possible
XSS
In JetBrains TeamCity before 2022.10.3 stored XSS in Perforce connection settings was possible
CVE-2022-48426
5.4 - Medium
- March 27, 2023
In JetBrains TeamCity before 2022.10.3 stored XSS in Perforce connection settings was possible
XSS
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.
CVE-2022-48344
6.1 - Medium
- February 23, 2023
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.
XSS
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.
CVE-2022-48343
6.1 - Medium
- February 23, 2023
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.
XSS
In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.
CVE-2022-48342
9.8 - Critical
- February 23, 2023
In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.
Insecure Default Initialization of Resource
In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain"
CVE-2022-46831
4.9 - Medium
- December 08, 2022
In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators.
Insecure Default Initialization of Resource
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint
CVE-2022-46830
5.3 - Medium
- December 08, 2022
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.
XSPA
In JetBrains TeamCity version before 2022.10
CVE-2022-44646
5.3 - Medium
- November 03, 2022
In JetBrains TeamCity version before 2022.10, no audit items were added upon editing a user's settings
In JetBrains TeamCity version before 2022.10
CVE-2022-44624
7.5 - High
- November 03, 2022
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters
Insertion of Sensitive Information into Log File
In JetBrains TeamCity version before 2022.10
CVE-2022-44623
7.5 - High
- November 03, 2022
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive
CVE-2022-44622
5.3 - Medium
- November 03, 2022
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable
CVE-2022-40979
5.3 - Medium
- September 23, 2022
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases
CVE-2022-38133
5.3 - Medium
- August 10, 2022
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible
CVE-2022-36322
8.8 - High
- July 20, 2022
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible
Argument Injection
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases
CVE-2022-36321
6.5 - Medium
- July 20, 2022
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2022.04 potential XSS
CVE-2022-29929
6.1 - Medium
- May 12, 2022
In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible
XSS
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible
CVE-2022-29928
4.9 - Medium
- May 12, 2022
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible
CVE-2022-29927
6.1 - Medium
- May 12, 2022
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible
XSS
In JetBrains TeamCity before 2021.2.3
CVE-2022-25264
7.5 - High
- February 25, 2022
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
Insecure Storage of Sensitive Information
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
CVE-2022-25263
9.8 - Critical
- February 25, 2022
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
Shell injection
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.
CVE-2022-25261
6.1 - Medium
- February 25, 2022
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.
XSS
In JetBrains TeamCity before 2021.2.1
CVE-2022-24342
8.8 - High
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.
Session Riding
In JetBrains TeamCity before 2021.2.1
CVE-2022-24341
7.5 - High
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.
Insufficient Session Expiration
In JetBrains TeamCity before 2021.2.1
CVE-2022-24340
9.8 - Critical
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
XXE
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.
CVE-2022-24339
5.4 - Medium
- February 25, 2022
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.
XSS
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.
CVE-2022-24338
6.1 - Medium
- February 25, 2022
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.
XSS
In JetBrains TeamCity before 2021.2
CVE-2022-24337
6.5 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions.
Incorrect Default Permissions
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds
CVE-2022-24336
5.3 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration
CVE-2022-24335
8.1 - High
- February 25, 2022
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC.
TOCTTOU
In JetBrains TeamCity before 2021.2.1, the Agent Push feature
CVE-2022-24334
5.3 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server.
In JetBrains TeamCity before 2021.2.1
CVE-2022-24330
6.1 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible.
Open Redirect
In JetBrains TeamCity before 2021.2, blind SSRF
CVE-2022-24333
6.5 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible.
XSPA
In JetBrains TeamCity before 2021.2
CVE-2022-24332
5.3 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.
Insufficient Session Expiration
In JetBrains TeamCity before 2021.1.4
CVE-2022-24331
9.8 - Critical
- February 25, 2022
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.
In JetBrains TeamCity before 2021.1.3
CVE-2021-43202
9.8 - Critical
- November 30, 2021
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings
CVE-2021-43201
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
In JetBrains TeamCity before 2021.1.2
CVE-2021-43200
9.8 - Critical
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.
In JetBrains TeamCity before 2021.1.2
CVE-2021-43199
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
Incorrect Default Permissions
In JetBrains TeamCity before 2021.1.2
CVE-2021-43198
5.4 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
XSS
In JetBrains TeamCity before 2021.1.2
CVE-2021-43197
6.1 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
XSS
In JetBrains TeamCity before 2021.1, information disclosure
CVE-2021-43196
7.5 - High
- November 09, 2021
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains TeamCity before 2021.1.2
CVE-2021-43195
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.
In JetBrains TeamCity before 2021.1.2
CVE-2021-43194
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, user enumeration was possible.
In JetBrains TeamCity before 2021.1.2, remote code execution
CVE-2021-43193
9.8 - Critical
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.
In JetBrains TeamCity before 2021.1
CVE-2021-37548
7.5 - High
- August 06, 2021
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
Cleartext Storage of Sensitive Information
In JetBrains TeamCity before 2020.2.4
CVE-2021-37547
5.3 - Medium
- August 06, 2021
In JetBrains TeamCity before 2020.2.4, insufficient checks during file uploading were made.
In JetBrains TeamCity before 2021.1
CVE-2021-37546
5.3 - Medium
- August 06, 2021
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
Use of a Broken or Risky Cryptographic Algorithm
In JetBrains TeamCity before 2020.2.3
CVE-2021-37542
6.1 - Medium
- August 06, 2021
In JetBrains TeamCity before 2020.2.3, XSS was possible.
XSS
In JetBrains TeamCity before 2021.1.1
CVE-2021-37545
7.5 - High
- August 06, 2021
In JetBrains TeamCity before 2021.1.1, insufficient authentication checks for agent requests were made.
authentification
In JetBrains TeamCity before 2020.2.4
CVE-2021-37544
9.8 - Critical
- August 06, 2021
In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.
Marshaling, Unmarshaling
In JetBrains TeamCity before 2020.2.3
CVE-2021-31911
6.1 - Medium
- May 11, 2021
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.
XSS
In JetBrains TeamCity before 2020.2.4
CVE-2021-31915
9.8 - Critical
- May 11, 2021
In JetBrains TeamCity before 2020.2.4, OS command injection leading to remote code execution was possible.
Shell injection
In JetBrains TeamCity before 2020.2.3
CVE-2021-31913
7.5 - High
- May 11, 2021
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
Improper Validation of Integrity Check Value
In JetBrains TeamCity before 2020.2.3
CVE-2021-31912
8.8 - High
- May 11, 2021
In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.
Weak Password Recovery Mechanism for Forgotten Password
In JetBrains TeamCity before 2020.2.3, information disclosure
CVE-2021-31910
7.5 - High
- May 11, 2021
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
XSPA
In JetBrains TeamCity before 2020.2.2
CVE-2021-3315
5.4 - Medium
- May 11, 2021
In JetBrains TeamCity before 2020.2.2, stored XSS on a tests page was possible.
XSS
In JetBrains TeamCity before 2020.2.3
CVE-2021-31908
5.4 - Medium
- May 11, 2021
In JetBrains TeamCity before 2020.2.3, stored XSS was possible on several pages.
XSS
In JetBrains TeamCity before 2020.2.3
CVE-2021-31909
9.8 - Critical
- May 11, 2021
In JetBrains TeamCity before 2020.2.3, argument injection leading to remote code execution was possible.
Argument Injection
In JetBrains TeamCity before 2020.2.2
CVE-2021-31907
5.3 - Medium
- May 11, 2021
In JetBrains TeamCity before 2020.2.2, permission checks for changing TeamCity plugins were implemented improperly.
Incorrect Permission Assignment for Critical Resource
In JetBrains TeamCity before 2020.2.2
CVE-2021-31906
2.7 - Low
- May 11, 2021
In JetBrains TeamCity before 2020.2.2, audit logs were not sufficient when an administrator uploaded a file.
In JetBrains TeamCity before 2020.2.2
CVE-2021-31904
6.1 - Medium
- May 11, 2021
In JetBrains TeamCity before 2020.2.2, XSS was potentially possible on the test history page.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Teamcity or by JetBrains? Click the Watch button to subscribe.
