CVE-2024-31136
📋 TL;DR
This vulnerability allows attackers to bypass two-factor authentication (2FA) in JetBrains TeamCity by using a special URL parameter. It affects all TeamCity instances with 2FA enabled that are running versions before 2024.03. This enables unauthorized access to protected TeamCity resources.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to TeamCity, allowing them to modify build configurations, steal source code, inject malicious code into builds, or deploy unauthorized software.
Likely Case
Attackers bypass 2FA to access user accounts with elevated privileges, potentially compromising CI/CD pipelines and accessing sensitive build artifacts.
If Mitigated
With proper network segmentation and monitoring, unauthorized access attempts can be detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires knowledge of the special URL parameter but is technically simple once known. Attackers need valid credentials to exploit the 2FA bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.03 and later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2024.03 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the updated version following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify 2FA functionality works correctly.
🔧 Temporary Workarounds
Disable 2FA temporarily
allTemporarily disable two-factor authentication until patching can be completed
Navigate to Administration > Authentication > Two-factor Authentication and disable
Restrict access with firewall rules
linuxLimit TeamCity access to trusted IP addresses only
iptables -A INPUT -p tcp --dport 8111 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8111 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TeamCity from untrusted networks
- Enable detailed authentication logging and monitor for suspicious 2FA bypass attempts
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Global Settings. If version is below 2024.03 and 2FA is enabled, the system is vulnerable.Check Version:
Check TeamCity web interface at Administration > Global Settings or run 'cat /opt/teamcity/version.txt' on Linux installationsVerify Fix Applied:
After upgrading to 2024.03 or later, attempt to access protected resources without completing 2FA to confirm the bypass no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns without 2FA completion
- Access to protected endpoints without proper 2FA flow
Network Indicators:
- HTTP requests containing suspicious URL parameters to authentication endpoints
- Rapid authentication attempts bypassing 2FA
SIEM Query:
source="teamcity.log" AND ("authentication" OR "login") AND NOT "2fa" AND "success"