CVE-2024-47161
📋 TL;DR
This vulnerability in JetBrains TeamCity allows passwords to be exposed through the Sonar runner REST API. Attackers could potentially retrieve sensitive credentials from improperly configured systems. Organizations running vulnerable TeamCity instances with Sonar runner integration are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Unauthorized users access sensitive passwords, potentially compromising CI/CD pipelines, source code repositories, or other integrated systems.
If Mitigated
With proper network segmentation and access controls, impact is limited to credential exposure within the TeamCity environment.
🎯 Exploit Status
Exploitation requires access to the Sonar runner REST API endpoint
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.07.3
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2024.07.3 from JetBrains website. 3. Stop TeamCity service. 4. Install the update following JetBrains upgrade guide. 5. Restart TeamCity service.
🔧 Temporary Workarounds
Disable Sonar runner REST API
allTemporarily disable or restrict access to the Sonar runner REST API endpoint
Configure firewall rules to block access to /app/rest/sonar/* endpoints
Modify TeamCity configuration to disable Sonar runner API
Network segmentation
linuxRestrict network access to TeamCity Sonar runner endpoints
iptables -A INPUT -p tcp --dport [TeamCity_port] -s [allowed_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [TeamCity_port] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach TeamCity Sonar runner endpoints
- Monitor and audit all access to Sonar runner API endpoints for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version via Administration → Server Administration → Server Health → Version InformationCheck Version:
curl -s http://teamcity-server:port/app/rest/server | grep -o '"version":"[^"]*"'Verify Fix Applied:
Confirm version is 2024.07.3 or later and test Sonar runner API endpoints for password exposure📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /app/rest/sonar/* endpoints
- Failed authentication attempts followed by Sonar runner API access
Network Indicators:
- Unexpected external requests to Sonar runner REST API endpoints
- Traffic patterns suggesting credential harvesting
SIEM Query:
source="teamcity.log" AND (uri="/app/rest/sonar/*" OR message="Sonar runner") AND (status=200 OR status=401)