CVE-2024-56355
📋 TL;DR
JetBrains TeamCity versions before 2024.12 have a cross-site scripting (XSS) vulnerability in the RemoteBuildLogController due to missing Content-Type headers in responses. This allows attackers to inject malicious scripts that execute in users' browsers when viewing build logs. Organizations using vulnerable TeamCity instances are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.
Likely Case
Attackers inject malicious JavaScript that steals session tokens or credentials when users view manipulated build logs, leading to account compromise.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, impact is limited to script execution in specific contexts without broader system access.
🎯 Exploit Status
Exploitation requires ability to manipulate build log responses; typically requires some level of access to the build system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.12 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2024.12 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the new version following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify functionality.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: default-src 'self'' to web server configuration
Restrict Build Log Access
allLimit who can view or modify build logs to reduce attack surface
Configure TeamCity permissions to restrict build log access to trusted users only
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Monitor for suspicious build log modifications and user session anomalies
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → VersionCheck Version:
Check TeamCity web interface or server logs for version informationVerify Fix Applied:
Verify version is 2024.12 or later and test build log functionality for proper Content-Type headers📡 Detection & Monitoring
Log Indicators:
- Unusual build log modifications
- Requests to RemoteBuildLogController with suspicious parameters
Network Indicators:
- HTTP responses from TeamCity without proper Content-Type headers
- Suspicious JavaScript in build log responses
SIEM Query:
source="teamcity" AND (uri="/app/rest/builds/*/log" OR uri="/remoteBuildLog") AND (response_content_type!="text/plain" OR contains(response_body,"<script>"))