CVE-2024-43810
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into web pages viewed by TeamCity users through the AWS Core plugin. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or perform actions on their behalf. All TeamCity instances running affected versions with the AWS Core plugin are vulnerable.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the TeamCity instance, compromise build pipelines, and potentially access source code and credentials stored in the CI/CD system.
Likely Case
Attackers steal user session cookies to gain unauthorized access to TeamCity, potentially modifying build configurations or accessing sensitive build artifacts.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users, preventing successful exploitation.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but can be combined with social engineering. The vulnerability is in a specific plugin component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.07.1
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance and database
2. Download TeamCity 2024.07.1 or later from the JetBrains website
3. Stop the TeamCity service
4. Install the new version following JetBrains upgrade documentation
5. Restart TeamCity service
6. Verify the AWS Core plugin is updated to the patched version
🔧 Temporary Workarounds
Disable AWS Core Plugin
allTemporarily disable the vulnerable plugin if AWS functionality is not required
Navigate to Administration > Plugins > Installed
Find 'AWS Core' plugin and click Disable
Implement WAF Rules
allAdd web application firewall rules to block XSS payloads targeting the vulnerable endpoints
Add WAF rule: Detect and block requests containing script tags or common XSS payloads to TeamCity AWS plugin endpoints
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to prevent script execution from untrusted sources
- Use browser security extensions or configurations that block reflected XSS attacks
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Server Administration > Server Health. If version is below 2024.07.1 and AWS Core plugin is enabled, the system is vulnerable.Check Version:
Check TeamCity web interface at Administration > Server Administration > Server Health, or examine teamcity-server.log for version informationVerify Fix Applied:
After upgrading, verify version shows 2024.07.1 or higher in Administration > Server Administration > Server Health, and test that XSS payloads no longer execute in AWS plugin interfaces.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to AWS plugin endpoints containing script tags or JavaScript code
- Multiple failed authentication attempts followed by requests to AWS plugin URLs
Network Indicators:
- HTTP requests containing XSS payloads (e.g., <script>, javascript:, onerror=) to TeamCity AWS plugin endpoints
- Unusual outbound connections from TeamCity server after user visits specific AWS plugin URLs
SIEM Query:
source="teamcity.log" AND ("AWS" OR "plugin") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")