CVE-2024-36368
📋 TL;DR
This vulnerability allows reflected cross-site scripting (XSS) attacks via OAuth provider configuration in JetBrains TeamCity. Attackers can inject malicious scripts that execute in users' browsers when they interact with compromised OAuth configuration pages. Organizations running vulnerable TeamCity versions are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
Teamcity by Jetbrains
Teamcity by Jetbrains
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full TeamCity compromise.
Likely Case
Attackers could steal user session tokens or credentials through crafted OAuth configuration links, leading to unauthorized access to TeamCity.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires tricking authenticated users into clicking malicious links targeting OAuth configuration endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download patched version from JetBrains website. 3. Stop TeamCity service. 4. Install update following vendor instructions. 5. Restart TeamCity service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or proxy rules to filter malicious script patterns in OAuth configuration requests.
🧯 If You Can't Patch
- Restrict access to TeamCity administration interface to trusted networks only.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Global Settings. Compare against affected versions.Check Version:
Check TeamCity web interface or server logs for version information.Verify Fix Applied:
Verify version is 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 or later. Test OAuth configuration functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth configuration requests with script tags or JavaScript payloads
- Multiple failed authentication attempts following OAuth configuration access
Network Indicators:
- HTTP requests to OAuth configuration endpoints containing script patterns
- Outbound connections to unexpected domains following TeamCity access
SIEM Query:
source="teamcity" AND (uri_path="/oauth*" OR uri_path="/admin*oauth*") AND (http_user_agent CONTAINS "script" OR http_query CONTAINS "<script" OR http_query CONTAINS "javascript:")