TeamCity On-Premises 2023.11 Help

TeamCity 2023.11.5 Release Notes

Build 147631, 29 May 2024

Bug

TW-87765 — Subproject administrator cannot view NuGet feed and Artifact storage settings of a parent project

TW-87750 — The user with the Project Administrator role can't see the NuGet feed

TW-82293 — "bean currentUser not found within scope" error in the logs when an unauthorized user opens a non existing page

Security

10 security issues were fixed. To protect customers who have not yet updated their servers, we typically withhold details about these fixes. Instead, we encourage you to review our Security Bulletin a few days after each bugfix release for more information.

In our effort to enhance transparency and due to potential delays in publishing new security bulletins (stemming from the simultaneous release of the 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5, and 2024.03.2 bug-fix updates), we have decided to provide a summary of both new and backported fixes.

Backported Fixes

These issues were resolved in newer major TeamCity versions and backported to this bug-fix update. You can find more info about them in our Security Bulletin.

  • XXE was possible in the Maven build steps detector (TW-86300)

  • Authenticated users without administrative permissions could register other users when self-registration was disabled (TW-87046)

  • Server administrators could remove arbitrary files from the server by installing tools (TW-86039)

  • XSS was possible via Agent Distribution settings (TW-86535)

  • Reflected XSS was possible via Space connection configuration (TW-86832)

  • Open redirect was possible on the login page (TW-87062)

  • 2FA could be bypassed by providing a special URL parameter (TW-86989)

Recently Resolved Issues

Fixes for the following security issues are not immediately available in our Security Bulletin: newly discovered and fixed problems, issues from upstream libraries outside the TeamCity codebase, specific cases of previously reported vulnerabilities, and others.

You can expect details on most of these issues to be published in our Security Bulletin a few days after the official release.

  • Path traversal allowing to read files from server was possible

  • TeamCity server could be accessed without authorization during specific brief moments of its lifecycle

  • A third-party agent could impersonate a cloud agent

Last modified: 28 May 2024