CVE-2024-35301
📋 TL;DR
This vulnerability in JetBrains TeamCity allows GitHub App tokens to be used beyond their intended project scope, potentially enabling unauthorized access to repositories. It affects TeamCity instances with GitHub integration configured. The issue is an improper authorization flaw where scope validation was insufficient.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access private repositories, modify code, steal intellectual property, or inject malicious code into CI/CD pipelines.
Likely Case
Unauthorized repository access leading to information disclosure or limited code manipulation.
If Mitigated
Minimal impact with proper network segmentation and repository access controls.
🎯 Exploit Status
Requires existing GitHub App token access and knowledge of target project structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.03.1
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and database. 2. Download TeamCity 2024.03.1 from JetBrains website. 3. Stop TeamCity service. 4. Install/upgrade to 2024.03.1. 5. Restart TeamCity service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable GitHub App Integration
allTemporarily disable GitHub App integration until patching is possible
Navigate to TeamCity Administration > Integrations > GitHub, disable GitHub App integration
Restrict GitHub Token Permissions
allReduce GitHub App token permissions to minimum required scope
Review and modify GitHub App permissions in GitHub organization settings
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TeamCity from production repositories
- Enable detailed audit logging for all GitHub API calls and repository access
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Server Administration > Server Health. If version is below 2024.03.1 and GitHub App integration is enabled, system is vulnerable.Check Version:
Check TeamCity web interface at Administration > Server Administration > Server Health or examine teamcity-server.log for version informationVerify Fix Applied:
Verify TeamCity version is 2024.03.1 or higher in Administration > Server Administration > Server Health, then test GitHub App functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub API calls from TeamCity IPs
- Repository access outside expected project scope
- Failed authorization attempts for cross-project operations
Network Indicators:
- Unexpected GitHub API traffic patterns
- Repository access to unauthorized projects
SIEM Query:
source="teamcity" AND ("github" OR "repository" OR "scope") AND ("unauthorized" OR "failed" OR "error")