Icon

You are viewing the documentation of TeamCity 2018.x, which is not the most recently released version of TeamCity.
View this page in the latest documentation or refer to the listing to choose the documentation corresponding to your TeamCity version.

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Consider adding the "teamcity.installation.completed=true" line into the <TeamCity Home Directory>\conf\teamcity-startup.properties file - this will prevent the server from creating an administrator user if no such user is foundstarted with the empty database from granting access to the machine for the first coming user. 

TeamCity has no built-in protection against DoS attack: high rate of requests can overload the server and make it not responsive. If your TeamCity instance is deployed in the environment which allows such service abuse, implement the protection on the reverse proxy level.

hidden-data
Project administrator can run arbitrary code on the server: https://youtrack.jetbrains.com/issue/TW-50054
To workaround one can add the following properties:
teamcity.hg.customClonePathEnabled=false
teamcity.hg.customHgPathEnabled=false
teamcity.hg.customConfigEnabled=false
teamcity.git.customClonePathEnabled=false
teamcity.server.git.executable.path=git  //???
teamcity.perforce.customP4Path=p4
teamcity.hubPlugin.export.options.enabled=true //???

...

CVE-2015-0235 vulnerability is found in glibc library which is not directly used by TeamCity code. It is used by the Java/JRE used by TeamCity under *nix platforms. As Java is not bundled with TeamCity distributions, you should apply the security measures recommended by the vendor of the Java you use. At this time there are no related Java-specific security advisories released, so updating the OS should be enough to eliminate the risk of the vulnerability exploitation.

hidden-data
h4. Apache FileUpload
CVE-2016-3092 moderate level vulnerability was found in FileUpload library and can cause remote DOS attachattack via high CPU usage. TeamCity versions starting from 10.0.4 are not affected by the vulnerability even though bundled Tomcat version can be reported as affected: TeamCity uses own library copy and not Tomcat's one. The library was updated to a version without the issue.

...