CVE-2023-42793: 
JetBrains TeamCity vulnerability analysis and mitigation

CVE-2023-42793 is a critical authentication bypass vulnerability discovered in JetBrains TeamCity before version 2023.05.4. The vulnerability was discovered by the Sonar team on September 6, 2023, and publicly disclosed on September 21, 2023. The flaw allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform remote code execution (RCE) and gain administrative control of the server. This vulnerability affects all on-premises versions of TeamCity prior to 2023.05.4, while TeamCity Cloud is not affected (Rapid7 Blog, Sonar Blog).

The vulnerability stems from a flaw in TeamCity's request interceptor implementation. The system used a wildcard expression '/**/RPC2' that inadvertently allowed bypassing authentication checks for any path ending with /RPC2. This could be exploited through the REST API endpoint for token creation, allowing attackers to create authentication tokens for any user, including administrators. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), reflecting its high impact and low exploitation complexity (Sonar Blog).

Successful exploitation of this vulnerability enables attackers to steal source code, access stored service secrets and private keys, control attached build agents, and potentially poison build artifacts. The vulnerability's impact is particularly severe as it affects CI/CD servers, which typically have access to an organization's most valuable assets and can influence the software supply chain (Sonar Blog).

JetBrains has released version 2023.05.4 which patches the vulnerability. For customers unable to immediately update, JetBrains has provided security patch plugins that work on TeamCity 8.0+ versions. Two different plugins are available: one for versions 2018.2 to 2023.05.3, and another for versions 8.0 to 2018.1. For TeamCity 2019.2 and later, the plugin can be enabled without restarting the server, while older versions require a restart (JetBrains Blog).

The vulnerability has garnered significant attention in the cybersecurity community due to its critical nature and ease of exploitation. Microsoft reported that multiple North Korean threat actors have been exploiting this vulnerability. The issue was added to CISA's Known Exploited Vulnerabilities Catalog on October 4, 2023, requiring federal agencies to apply mitigations (Rapid7 Blog).