CVE-2021-43202
📋 TL;DR
This vulnerability allows clickjacking attacks by missing X-Frame-Options headers in JetBrains TeamCity instances. Attackers can embed vulnerable pages in iframes to trick users into performing unintended actions. All TeamCity servers before version 2021.1.3 are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could embed the TeamCity interface in malicious sites, tricking administrators into performing privileged actions like creating new admin accounts, modifying build configurations, or deploying malicious code.
Likely Case
Clickjacking attacks leading to unauthorized actions by authenticated users, potentially compromising build pipelines or exposing sensitive configuration data.
If Mitigated
With proper Content Security Policy headers and modern browser protections, impact is limited to older browsers without clickjacking protections.
🎯 Exploit Status
Exploitation requires user interaction (clicking) but is technically simple. Attackers need to lure users to malicious sites with embedded TeamCity iframes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.1.3 or later
Vendor Advisory: https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/
Restart Required: Yes
Instructions:
1. Backup your TeamCity configuration and data. 2. Download TeamCity 2021.1.3 or later from JetBrains website. 3. Stop the TeamCity server. 4. Install the new version following JetBrains upgrade guide. 5. Restart the TeamCity server.
🔧 Temporary Workarounds
Configure reverse proxy with X-Frame-Options
allAdd X-Frame-Options: DENY or SAMEORIGIN headers at the reverse proxy level
# For nginx: add 'add_header X-Frame-Options SAMEORIGIN;' to server block
# For Apache: add 'Header always set X-Frame-Options SAMEORIGIN' to config
Implement Content Security Policy
allAdd frame-ancestors directive to Content-Security-Policy header
# Example: add_header Content-Security-Policy "frame-ancestors 'self';"
# Or more restrictive: add_header Content-Security-Policy "frame-ancestors 'none';"
# Add to web server or reverse proxy configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to add X-Frame-Options headers
- Use browser extensions that enforce clickjacking protections for administrators
🔍 How to Verify
Check if Vulnerable:
Use browser developer tools or curl to check HTTP headers: curl -I https://your-teamcity-server | grep -i x-frame-optionsCheck Version:
Check TeamCity version in Administration → Server Administration → Global Settings or via API: curl https://your-teamcity-server/app/rest/serverVerify Fix Applied:
Verify X-Frame-Options header is present in all responses: curl -I https://your-teamcity-server/login.html | grep -i x-frame-options📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP with unusual referrer headers
- Administrative actions from unexpected user agents or referrers
Network Indicators:
- HTTP requests with suspicious referrer domains
- TeamCity pages loaded in iframes from external domains
SIEM Query:
source="teamcity" AND (http_referer CONTAINS "malicious-domain.com" OR user_agent="clickjacking-tool")