CVE-2024-43807
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the Clouds page of JetBrains TeamCity, which are then executed when other users view that page. It affects all TeamCity instances running versions before 2024.07.1. The stored XSS could lead to session hijacking, data theft, or unauthorized actions.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over TeamCity instances, compromise build pipelines, and potentially access source code repositories and deployment credentials.
Likely Case
Attackers with access to the Clouds page could inject scripts to steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Stored XSS vulnerabilities are relatively easy to exploit once an attacker gains access to the vulnerable interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.07.1
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance. 2. Download TeamCity 2024.07.1 or later from the JetBrains website. 3. Follow the TeamCity upgrade documentation for your installation type. 4. Restart the TeamCity service after upgrade.
🔧 Temporary Workarounds
Restrict access to Clouds page
allLimit access to the vulnerable Clouds page to only essential administrators
Configure TeamCity role-based access control to restrict 'Manage Clouds' permission
Implement WAF rules
allAdd web application firewall rules to block XSS payloads
Add WAF rules to detect and block script tags, javascript: URIs, and common XSS patterns
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Enable audit logging for all access to the Clouds page and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → VersionCheck Version:
Check TeamCity web interface or server logs for version informationVerify Fix Applied:
Verify version is 2024.07.1 or later and test XSS payloads on Clouds page no longer execute📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Clouds page endpoints
- Suspicious parameter values containing script tags or javascript code
Network Indicators:
- HTTP requests with XSS payload patterns in parameters
- Unexpected outbound connections from TeamCity server
SIEM Query:
source="teamcity" AND (uri_path="/app/rest/clouds" OR uri_path="/admin/admin.html?item=clouds") AND (param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:")