CVE-2021-37548
📋 TL;DR
JetBrains TeamCity versions before 2021.1 could store passwords in cleartext within version control systems (VCS). This vulnerability allows attackers with access to VCS repositories to obtain sensitive credentials, affecting organizations using vulnerable TeamCity instances.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to VCS repositories containing cleartext passwords, leading to credential theft, unauthorized access to TeamCity and connected systems, and potential lateral movement across infrastructure.
Likely Case
Internal or external actors discover stored cleartext passwords in VCS history, compromising TeamCity accounts and potentially other systems using the same credentials.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure requiring rotation, but no direct system compromise.
🎯 Exploit Status
Exploitation requires access to VCS repositories where passwords were stored, typically through compromised credentials or misconfigured access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.1 or later
Vendor Advisory: https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2021.1 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the new version following JetBrains upgrade guide. 5. Start TeamCity service. 6. Verify functionality.
🔧 Temporary Workarounds
Audit VCS repositories for stored passwords
linuxSearch VCS repositories for any stored TeamCity passwords and remove/rotate them.
grep -r 'password\|passwd\|credential' /path/to/vcs/repos --include="*.xml" --include="*.conf" --include="*.properties"
Restrict VCS repository access
allImplement strict access controls on VCS repositories to limit who can view historical data.
🧯 If You Can't Patch
- Rotate all passwords stored in TeamCity configuration and VCS repositories immediately.
- Implement monitoring for unauthorized access to VCS repositories and TeamCity logs.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Global Settings. If version is below 2021.1, system is vulnerable.Check Version:
On TeamCity server, check /opt/teamcity/version.txt or equivalent installation directory for version information.Verify Fix Applied:
Confirm TeamCity version is 2021.1 or higher in Administration → Server Administration → Global Settings.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to VCS repositories
- Failed authentication attempts followed by successful access to TeamCity
Network Indicators:
- Unexpected connections from unknown IPs to TeamCity or VCS servers
SIEM Query:
source="teamcity.log" AND ("authentication failed" OR "password") OR source="vcs.log" AND ("git show" OR "svn cat" OR "history access")