CVE-2021-25776
📋 TL;DR
This vulnerability in JetBrains TeamCity exposes Elastic Container Registry (ECR) tokens in build parameters, potentially allowing unauthorized access to container registries. It affects TeamCity installations before version 2020.2 where ECR integration is configured.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to private container registries, allowing them to push malicious images, pull sensitive images, or disrupt container deployments.
Likely Case
Unauthorized users access build parameters containing ECR tokens, potentially compromising container registry security and exposing sensitive container images.
If Mitigated
With proper access controls and monitoring, exposure is limited to authorized users only, minimizing registry compromise risk.
🎯 Exploit Status
Exploitation requires access to build parameters, typically through TeamCity user interface or API access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2 and later
Vendor Advisory: https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2020.2 or later from official JetBrains website. 3. Follow upgrade instructions for your platform. 4. Restart TeamCity services. 5. Verify upgrade completion.
🔧 Temporary Workarounds
Disable ECR Integration
allTemporarily disable Elastic Container Registry integration to prevent token exposure.
Navigate to TeamCity Administration > Integrations > Cloud Integrations > Disable ECR
Restrict Build Parameter Access
allLimit which users can view build parameters containing sensitive data.
Configure TeamCity project roles to restrict 'View build parameters' permission
🧯 If You Can't Patch
- Implement strict access controls to limit who can view build parameters
- Monitor TeamCity audit logs for unauthorized access to build parameters
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Global Settings; if version is below 2020.2 and ECR is configured, system is vulnerable.Check Version:
Check TeamCity web interface: Administration > Global Settings > VersionVerify Fix Applied:
After upgrading to 2020.2+, verify ECR tokens are no longer visible in build parameters and check version confirms 2020.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to build parameters
- Multiple failed authentication attempts to TeamCity
Network Indicators:
- Unusual API calls to TeamCity build parameter endpoints
- Suspicious access patterns to container registries
SIEM Query:
source="teamcity" AND (event="view_build_parameters" OR event="access_sensitive_data")