CVE-2024-36362
📋 TL;DR
This CVE describes a path traversal vulnerability in JetBrains TeamCity that allows attackers to read arbitrary files from the server filesystem. The vulnerability affects TeamCity instances running vulnerable versions before specific patched releases. Attackers could potentially access sensitive configuration files, credentials, or other server data.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
Teamcity by Jetbrains
Teamcity by Jetbrains
Teamcity by Jetbrains
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive server files including configuration files, credentials, SSH keys, database passwords, and other critical system data, potentially leading to complete system compromise.
Likely Case
Attackers would read configuration files and potentially obtain credentials that could be used for further attacks or data exfiltration.
If Mitigated
With proper network segmentation and access controls, impact would be limited to reading non-sensitive files within the TeamCity application directory.
🎯 Exploit Status
Path traversal vulnerabilities typically have low exploitation complexity, but specific exploit details are not publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, or 2024.03.2 depending on your current version
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Identify your current TeamCity version. 2. Download the appropriate patched version from JetBrains. 3. Backup your TeamCity installation and database. 4. Stop TeamCity service. 5. Install the patched version. 6. Restart TeamCity service. 7. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to TeamCity instances to only trusted IP addresses and networks.
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 8111 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8111 -j DROP
Application Firewall Rules
allImplement web application firewall rules to block path traversal patterns.
Configure WAF to block requests containing '../', '..\', or similar path traversal patterns
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit TeamCity access to only necessary users
- Enable detailed logging and monitoring for file access patterns and implement alerting for suspicious activities
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → Version InformationCheck Version:
Check TeamCity web interface at Administration → Server Administration → Server Health → Version InformationVerify Fix Applied:
Verify version is 2022.04.7 or higher for 2022.04 branch, 2022.10.6 or higher for 2022.10 branch, 2023.05.6 or higher for 2023.05 branch, 2023.11.5 or higher for 2023.11 branch, or 2024.03.2 or higher for 2024.03 branch📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in TeamCity logs
- Requests containing '../' or similar path traversal patterns
- Access to files outside expected TeamCity directories
Network Indicators:
- Unusual HTTP requests to TeamCity endpoints with path traversal patterns
- Multiple failed attempts to access files
SIEM Query:
source="teamcity.log" AND ("../" OR "..\\" OR "%2e%2e%2f" OR "%2e%2e%5c")