CVE-2024-36372
📋 TL;DR
This vulnerability allows reflected cross-site scripting (XSS) attacks on the subscriptions page of JetBrains TeamCity. Attackers can inject malicious scripts that execute in users' browsers when they visit a specially crafted URL. This affects all TeamCity administrators and users who access the subscriptions page.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Session hijacking of TeamCity administrators, allowing unauthorized access to the CI/CD system and potential manipulation of build processes.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some user interaction would still be required.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) and typically targets authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.05.6 and later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity installation and database. 2. Download TeamCity 2023.05.6 or later from the JetBrains website. 3. Stop the TeamCity server. 4. Install the updated version following JetBrains upgrade documentation. 5. Restart the TeamCity server.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allConfigure WAF rules to block XSS payloads targeting the subscriptions page.
Input Validation Filter
allImplement custom input validation for subscription-related parameters.
🧯 If You Can't Patch
- Restrict access to the TeamCity web interface using network segmentation and firewall rules.
- Implement Content Security Policy (CSP) headers to mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Global Settings. If version is below 2023.05.6, the system is vulnerable.Check Version:
Check the TeamCity web interface at Administration → Server Administration → Global SettingsVerify Fix Applied:
After upgrading, verify the version shows 2023.05.6 or higher in the same location.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /app/subscriptions with script tags or JavaScript payloads in parameters
- Multiple failed authentication attempts followed by subscription page access
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in URL parameters to subscriptions endpoint
SIEM Query:
source="teamcity.log" AND (url="*subscriptions*" AND (param="*<script>*" OR param="*javascript:*"))