CVE-2024-36367 in TeamCity
Summary
by MITRE • 05/29/2024
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via third-party reports was possible
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2025
The vulnerability CVE-2024-36367 represents a stored cross-site scripting flaw in JetBrains TeamCity versions prior to specific patches released in 2022 and 2023. This security weakness allows attackers to inject malicious scripts into the application's reporting functionality through third-party report mechanisms. The vulnerability stems from insufficient input validation and output encoding within the reporting subsystem, where user-supplied data from external report sources is not properly sanitized before being stored and subsequently rendered in web interfaces. The flaw specifically affects TeamCity's handling of third-party report data, creating an attack vector where malicious actors can embed XSS payloads that persist in the system and execute against unsuspecting users who view these reports.
The technical implementation of this vulnerability aligns with CWE-79, which categorizes cross-site scripting flaws as weaknesses in web applications that allow attackers to inject client-side scripts into web pages viewed by other users. The attack occurs when TeamCity processes reports from external sources without adequate sanitization of potentially malicious content. When these third-party reports are displayed in the TeamCity web interface, the stored malicious scripts execute in the context of authenticated users' browsers, potentially enabling session hijacking, data exfiltration, or privilege escalation. The vulnerability is classified as stored XSS because the malicious payload is permanently stored within the application's database or storage systems rather than being reflected in a single request.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to compromise the entire TeamCity environment through authenticated user sessions. An attacker who successfully exploits this vulnerability could gain access to sensitive build information, modify project configurations, access source code repositories, or escalate privileges within the system. The persistence of stored XSS makes this particularly dangerous as the malicious scripts remain active until manually removed from the system. Attackers could also use this vulnerability to establish persistent backdoors within the CI/CD environment, potentially compromising the integrity of the entire software development pipeline. The vulnerability affects organizations that rely heavily on third-party reporting integrations, making it especially concerning for enterprises with complex build and deployment processes.
Mitigation strategies for CVE-2024-36367 involve immediate patching of TeamCity installations to the affected versions mentioned in the advisory, specifically upgrading to TeamCity 2022.04.6, 2022.10.5, 2023.05.5, or 2023.11.5. Organizations should implement additional defensive measures including input validation for all third-party report data, output encoding of report content, and regular security scanning of integrated components. The principle of least privilege should be enforced when processing third-party reports, limiting the execution context and permissions available to report processing modules. Network segmentation and monitoring of unusual report processing activities can help detect potential exploitation attempts. Organizations should also review their third-party integration configurations and consider implementing web application firewalls to filter malicious content before it reaches the TeamCity application. The vulnerability demonstrates the importance of securing all input vectors in web applications, particularly those involving external data sources, and aligns with ATT&CK technique T1566.001 for initial access through malicious file execution in web applications.