CVE-2024-56351
📋 TL;DR
This vulnerability in JetBrains TeamCity allows access tokens to remain valid after user roles are removed, potentially enabling unauthorized access. It affects TeamCity instances before version 2024.12. Organizations using vulnerable TeamCity versions for CI/CD pipelines are at risk.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
An attacker with a previously issued access token could maintain persistent access to TeamCity resources even after their permissions are revoked, potentially leading to unauthorized code deployment, pipeline manipulation, or data exfiltration.
Likely Case
Former employees or contractors retain access to TeamCity systems after role removal, allowing them to view sensitive build configurations, access source code, or disrupt CI/CD processes.
If Mitigated
With proper monitoring and access controls, impact is limited to temporary unauthorized access until tokens expire or are manually revoked.
🎯 Exploit Status
Exploitation requires a valid access token that should have been revoked. Attackers with stolen or previously obtained tokens can maintain access indefinitely until manual intervention.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.12
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and database. 2. Download TeamCity 2024.12 from JetBrains website. 3. Stop TeamCity service. 4. Install the update following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify all services are running correctly.
🔧 Temporary Workarounds
Manual Token Revocation
allManually revoke all existing access tokens for users whose roles have changed
Navigate to Administration > Users > Select user > Access Tokens > Revoke All
Reduce Token Lifetime
allConfigure shorter token expiration times to limit exposure window
Set teamcity.users.tokens.expiration.time to lower value in teamcity-server-log4j.xml
🧯 If You Can't Patch
- Implement strict monitoring of access token usage and audit logs for anomalous activity
- Establish mandatory token rotation policy requiring all tokens to be reissued periodically
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Server Administration > Server Health. If version is below 2024.12, system is vulnerable.Check Version:
Check TeamCity web interface or server logs for version informationVerify Fix Applied:
After upgrading to 2024.12, test by creating a user token, removing user roles, and verifying token no longer provides access.📡 Detection & Monitoring
Log Indicators:
- Access attempts using tokens for users with no assigned roles
- Token usage after role removal events in audit logs
Network Indicators:
- API calls from unexpected IP addresses using valid tokens
- Authentication attempts with tokens that should be invalid
SIEM Query:
source="teamcity" AND (event_type="token_usage" AND user_role="none") OR (event_type="role_removal" AND subsequent_token_usage)