CVE-2024-36374
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into build step settings. When other users view these settings, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All TeamCity administrators and users who configure or view build steps are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the TeamCity instance, compromise build pipelines, and potentially access source code repositories and deployment credentials.
Likely Case
Attackers with access to create or modify build steps could inject scripts that steal user session tokens when viewed by administrators, leading to account takeover and unauthorized build modifications.
If Mitigated
With proper input validation and output encoding, malicious scripts would be sanitized before execution, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access to TeamCity with permissions to modify build steps. The attack involves injecting JavaScript into build step settings that executes when viewed by other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.03.2
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance and database. 2. Download TeamCity 2024.03.2 or later from the JetBrains website. 3. Stop the TeamCity server. 4. Install the new version following JetBrains upgrade documentation. 5. Start the TeamCity server and verify functionality.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and HTML encoding for all user inputs in build step settings
Content Security Policy
allImplement strict Content Security Policy headers to prevent script execution from untrusted sources
Add CSP header: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
🧯 If You Can't Patch
- Restrict build step modification permissions to trusted administrators only
- Implement web application firewall (WAF) rules to detect and block XSS payloads in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version via Administration → Server Administration → Server Health → Version Information. If version is below 2024.03.2, the system is vulnerable.Check Version:
On TeamCity server: cat /opt/teamcity/version.txt or check via web interface at /admin/admin.html?item=diagnosticsVerify Fix Applied:
After upgrading, verify the version shows 2024.03.2 or higher in the same location. Test by attempting to inject script tags in build step settings - they should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to build step configurations
- Multiple failed login attempts followed by build step changes
- JavaScript or script tags in build step parameter values
Network Indicators:
- HTTP requests containing script tags or JavaScript in POST parameters to build configuration endpoints
- Unusual outbound connections from TeamCity server after build step views
SIEM Query:
source="teamcity" AND ("buildStep" OR "build configuration") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")