CVE-2022-48428
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into the SSH keys page. When administrators view the compromised page, the scripts execute in their browser context, potentially leading to session hijacking or administrative actions. All TeamCity instances running versions before 2022.10.3 are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators (including creating new admin accounts, modifying configurations, or accessing sensitive data), and establish persistent backdoors.
Likely Case
Attackers with access to the SSH keys page could inject scripts that steal administrator credentials or session tokens when viewed, leading to unauthorized administrative access.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the SSH keys page. The vulnerability is in the web interface where user input isn't properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022.10.3 and later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity configuration and data. 2. Download TeamCity 2022.10.3 or later from the JetBrains website. 3. Stop the TeamCity server. 4. Install the updated version following JetBrains upgrade documentation. 5. Restart the TeamCity server.
🔧 Temporary Workarounds
Restrict SSH Keys Page Access
allLimit access to the SSH keys management page to only essential administrators using TeamCity's built-in role-based access controls.
Implement Web Application Firewall
allDeploy a WAF with XSS protection rules to block malicious script injection attempts.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user inputs in the SSH keys interface
- Monitor and audit access to SSH keys management page for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version via Administration → Server Administration → Server Health → Version Information. If version is below 2022.10.3, the system is vulnerable.Check Version:
Check via web interface at /admin/admin.html?item=diagnostics&tab=diagnosticsGeneral or examine server logs for version information.Verify Fix Applied:
After upgrading, verify the version is 2022.10.3 or higher in the same location. Test the SSH keys page functionality to ensure it works properly.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to SSH keys, unexpected administrative actions following SSH key page access, multiple failed authentication attempts to SSH keys page
Network Indicators:
- HTTP requests containing script tags or JavaScript code in parameters related to SSH key management endpoints
SIEM Query:
source="teamcity.log" AND ("sshKeys" OR "ssh-keys") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")