Qualys detected vulnerabilities on teamcity 2024.07.3 build
TeamCity, on the other hand, still has 3 vulnerabilities even after upgrading it to the latest build.
They are in the following categories:
150122 Cookie Does Not Contain The "secure" Attribute
This should have been resolved in 2018.1 unsure why this is still being detected in the latest build.
150112 Sensitive form field has not disabled autocomplete
Cannot locate the following file, login.html in TeamCity directory to modify the form field autocomplete="off" attribute.
Reading the impact information, explains that its more at risk in a shared computing environment where more than one person may use the browser from the same local machine.
150124 Clickjacking - Framable Page
TeamCity has indicated that it should have been resolved in version 2017.2.4, 2018.1 (which we are on 2024.07.3)
So in conclusion
Is not possible to modify without changing the source code on TeamCity (Application level).
150112 Sensitive form field has not disabled autocomplete
Release security notes from TeamCity indicate that they should be resolved by the current build that we are on.
150122 Cookie Does Not Contain The "secure" Attribute
150124 Clickjacking - Framable Page
Please sign in to leave a comment.
If you are running Windows host, have you syc'd the version to the registry?
Auto update will not be able to update the version of the TeamCity server in Windows registry.
To set the TeamCity version in registry to the current TeamCity version, run the following command:runas /user:Administrator “powershell -File C:\TeamCity\bin\update-registry-version.ps1”