CVE-2022-24340
📋 TL;DR
This vulnerability allows XML External Entity (XXE) attacks during configuration file parsing in JetBrains TeamCity. Attackers can read arbitrary files from the server, potentially leading to sensitive data exposure or server-side request forgery. All organizations running vulnerable TeamCity versions are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via file read leading to credential theft, followed by lateral movement and data exfiltration.
Likely Case
Unauthorized reading of sensitive configuration files, environment variables, or source code from the TeamCity server.
If Mitigated
Limited impact due to network segmentation and proper file permissions restricting accessible files.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploit examples. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.2.1 and later
Vendor Advisory: https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2021.2.1 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the updated version. 5. Restart TeamCity service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure XML parser to disable external entity resolution
Modify TeamCity XML parser configuration to set: FEATURE_SECURE_PROCESSING=true, DISALLOW_DOCTYPE_DECL=true
Network segmentation
allRestrict TeamCity server network access
Configure firewall to allow only necessary inbound/outbound connections to TeamCity
🧯 If You Can't Patch
- Implement strict network access controls to limit TeamCity server connectivity
- Monitor for unusual file access patterns and XML parsing errors in logs
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version via web interface Admin → Server Administration → Server Health → VersionCheck Version:
On TeamCity server: cat /opt/teamcity/version.txt or check web interfaceVerify Fix Applied:
Verify version is 2021.2.1 or higher and test XXE payloads no longer work📡 Detection & Monitoring
Log Indicators:
- XML parsing errors with external entity references
- Unusual file access patterns from TeamCity process
Network Indicators:
- HTTP requests with XML payloads containing external entity declarations
- Outbound connections from TeamCity to unexpected internal systems
SIEM Query:
source="teamcity.log" AND ("XXE" OR "external entity" OR "DOCTYPE")