CVE-2022-48426
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into Perforce connection settings. When administrators view these settings, the scripts execute in their browser context, potentially compromising their accounts. This affects TeamCity servers running versions before 2022.10.3.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Administrator account takeover leading to full TeamCity server compromise, data theft, and potential lateral movement to connected systems.
Likely Case
Session hijacking of administrator accounts, unauthorized configuration changes, or data exfiltration from the TeamCity instance.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting specific administrative functions.
🎯 Exploit Status
Exploitation requires administrative privileges to access and modify Perforce connection settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022.10.3 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2022.10.3 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the updated version following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify successful upgrade.
🔧 Temporary Workarounds
Restrict administrative access
allLimit TeamCity administrative access to only essential personnel and implement strong authentication controls.
Input validation controls
allImplement additional input validation for Perforce connection settings through custom plugins or configuration.
🧯 If You Can't Patch
- Implement strict access controls to limit who can modify Perforce connection settings.
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in TeamCity requests.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → Version Information.Check Version:
Check TeamCity web interface or server logs for version information.Verify Fix Applied:
Verify version is 2022.10.3 or later and test Perforce connection settings for proper input sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Perforce connection settings
- Administrative account activity from unexpected locations
Network Indicators:
- Suspicious JavaScript payloads in HTTP requests to TeamCity
- Unexpected outbound connections from TeamCity server
SIEM Query:
source="teamcity" AND ("Perforce" OR "connection settings") AND ("script" OR "javascript" OR "onerror" OR "onload")