Authentication bypass vulnerabilities in TeamCity: everything you need to know

JetBrains released patches for two critical TeamCity authentication-bypass vulnerabilities (CVE-2024-27198 — CVSS 9.8 — and CVE-2024-27199 — CVSS 7.3) that allow unauthenticated HTTP(S) access to bypass authentication and gain administrative control or modify sensitive settings; exploitation has been observed in the wild, CISA added CVE-2024-27198 to its Known Exploited Vulnerabilities catalog, and affected on-prem TeamCity versions should be updated to 2023.11.4 or mitigated with the vendor's security patch plugin.