Consider adding the
"teamcity.installation.completed=true" line into the
<TeamCity Home Directory
>\conf\teamcity-startup.properties file - this will prevent the server from creating an administrator user if no such user is foundstarted with the empty database from granting access to the machine for the first coming user.
TeamCity has no built-in protection against DoS attack: high rate of requests can overload the server and make it not responsive. If your TeamCity instance is deployed in the environment which allows such service abuse, implement the protection on the reverse proxy level.
Project administrator can run arbitrary code on the server: https://youtrack.jetbrains.com/issue/TW-50054 To workaround one can add the following properties: teamcity.hg.customClonePathEnabled=false teamcity.hg.customHgPathEnabled=false teamcity.hg.customConfigEnabled=false teamcity.git.customClonePathEnabled=false teamcity.server.git.executable.path=git //??? teamcity.perforce.customP4Path=p4 teamcity.hubPlugin.export.options.enabled=true //???
CVE-2015-0235 vulnerability is found in glibc library which is not directly used by TeamCity code. It is used by the Java/JRE used by TeamCity under *nix platforms. As Java is not bundled with TeamCity distributions, you should apply the security measures recommended by the vendor of the Java you use. At this time there are no related Java-specific security advisories released, so updating the OS should be enough to eliminate the risk of the vulnerability exploitation.
h4. Apache FileUpload CVE-2016-3092 moderate level vulnerability was found in FileUpload library and can cause remote DOS attachattack via high CPU usage. TeamCity versions starting from 10.0.4 are not affected by the vulnerability even though bundled Tomcat version can be reported as affected: TeamCity uses own library copy and not Tomcat's one. The library was updated to a version without the issue.