CVE-2024-36366 in TeamCity
Summary
by MITRE • 05/29/2024
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/27/2025
The vulnerability identified as CVE-2024-36366 represents a cross-site scripting weakness in JetBrains TeamCity versions prior to specific patch releases. This security flaw exists within the reporting functionality of the continuous integration and deployment platform, specifically when handling certain report grouping and filtering operations. The issue allows malicious actors to inject malicious scripts into the application's response, which then executes in the context of other users' browsers. This vulnerability affects multiple major release lines including 2022.04.6, 2022.10.5, 2023.05.5, and 2023.11.5, indicating a widespread impact across the product's version history. The vulnerability falls under the CWE-79 category of Cross-Site Scripting, which is a fundamental web application security weakness that enables attackers to inject client-side scripts into web pages viewed by other users. The attack vector specifically targets the report generation and manipulation features where user-supplied data is not properly sanitized before being rendered in the web interface.
The technical exploitation of this vulnerability occurs when users interact with report grouping and filtering mechanisms within TeamCity's web console. When administrators or developers create or modify reports using specific grouping criteria or filtering parameters, the application fails to adequately validate or escape user input before incorporating it into HTML output. This allows an attacker who can influence report parameters to inject malicious JavaScript code that executes in the browser context of other users who view the affected reports. The vulnerability is particularly concerning because it can be leveraged by attackers who do not require elevated privileges, as the flaw exists in functionality that is typically accessible to regular users. The impact extends beyond simple script execution to potentially enable session hijacking, data exfiltration, and further exploitation of the compromised user sessions.
The operational impact of this vulnerability is significant for organizations using JetBrains TeamCity as their CI/CD platform. Attackers could exploit this weakness to gain unauthorized access to sensitive build information, steal user sessions, or manipulate the build process by injecting malicious code into reports. The vulnerability's presence in multiple release versions suggests that organizations running older versions of TeamCity across their development environments may be at risk. This weakness could be particularly damaging in enterprise environments where TeamCity is used for critical build processes and where users may have elevated privileges within the system. The attack could potentially lead to privilege escalation if the compromised user has access to sensitive build configurations or deployment mechanisms. Security teams must consider this vulnerability as part of their broader threat landscape, as it could be combined with other weaknesses to create more sophisticated attack vectors.
Organizations should immediately update their TeamCity installations to the patched versions mentioned in the CVE description to remediate this vulnerability. The patching process should include thorough testing of the updated environment to ensure that existing functionality remains intact while eliminating the XSS attack surface. Security configurations should be reviewed to implement additional input validation measures and to monitor for any suspicious report generation activities. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments, though in this case the attack vector is more subtle and leverages legitimate application features. Organizations should also implement network segmentation and monitoring solutions to detect potential exploitation attempts. Regular security assessments of web applications should include validation of input sanitization practices, particularly in reporting and data visualization components. The incident response plan should incorporate procedures for handling XSS vulnerabilities, including user session monitoring and credential rotation where necessary.