CVE-2021-31912
📋 TL;DR
CVE-2021-31912 is an account takeover vulnerability in JetBrains TeamCity where attackers could potentially hijack user accounts during password reset processes. This affects organizations running TeamCity servers before version 2020.2.3, potentially allowing unauthorized access to CI/CD pipelines and sensitive build artifacts.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of TeamCity server with ability to execute arbitrary code, steal source code, modify build processes, and pivot to internal networks.
Likely Case
Unauthorized access to TeamCity accounts leading to source code exfiltration, build process manipulation, and credential theft.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place.
🎯 Exploit Status
Exploitation requires access to password reset functionality but is straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2.3 and later
Vendor Advisory: https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2020.2.3 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the updated version. 5. Restart TeamCity service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable password reset functionality
allTemporarily disable password reset feature until patching can be completed
Modify TeamCity authentication settings to disable password reset
Network access restrictions
allRestrict access to TeamCity password reset endpoints
Configure firewall rules to limit access to /app/rest/users/password/reset endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TeamCity from internet and untrusted networks
- Enable multi-factor authentication for all TeamCity accounts and monitor for suspicious password reset attempts
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in administration interface or via REST API at /app/rest/serverCheck Version:
curl -s http://teamcity-server/app/rest/server | grep versionVerify Fix Applied:
Confirm version is 2020.2.3 or later and test password reset functionality📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts
- Unusual password reset success patterns
- Account access from unexpected locations
Network Indicators:
- Unusual traffic to password reset endpoints
- Multiple requests to /app/rest/users/password/reset
SIEM Query:
source="teamcity.log" AND ("password reset" OR "resetPassword") AND status="success"