Lucene search

HistoryMay 31, 2024 - 12:00 a.m.

JetBrains TeamCity Multiple Vulnerabilities

2024-05-3100:00:00

www.tenable.com

jetbrains teamcity

remote host

vulnerabilities

cve-2024-36363

stored xss

improper access control

reflected xss

authentication bypass

security scanner

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

Percentile

9.0%

JSON

The version of JetBrains TeamCity installed on the remote host is prior to 2022.04.7, 2022.10.6, 2023.05.6, or 2023.11.5. It is, therefore, affected by multiple vulnerabilities as referenced in the CVE-2024-36363 advisory.

In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 several Stored XSS in code inspection reports were possible (CVE-2024-36363)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible (CVE-2024-36364)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations (CVE-2024-36366)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via third-party reports was possible (CVE-2024-36367)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 reflected XSS via OAuth provider configuration was possible (CVE-2024-36368)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via issue tracker integration was possible (CVE-2024-36369)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via OAuth connection settings was possible (CVE-2024-36370)
In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 authentication bypass was possible in specific edge cases (CVE-2024-36470)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(198226);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/31");

  script_cve_id(
    "CVE-2024-36363",
    "CVE-2024-36364",
    "CVE-2024-36366",
    "CVE-2024-36367",
    "CVE-2024-36368",
    "CVE-2024-36369",
    "CVE-2024-36370",
    "CVE-2024-36470"
  );

  script_name(english:"JetBrains TeamCity Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of JetBrains TeamCity installed on the remote host is prior to 2022.04.7, 2022.10.6, 2023.05.6, or
2023.11.5. It is, therefore, affected by multiple vulnerabilities as referenced in the CVE-2024-36363 advisory.

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 several Stored XSS in code
    inspection reports were possible (CVE-2024-36363)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 improper access control in Pull
    Requests and Commit status publisher build features was possible (CVE-2024-36364)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 an XSS could be executed via
    certain report grouping and filtering operations (CVE-2024-36366)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via third-party reports
    was possible (CVE-2024-36367)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 reflected XSS via OAuth provider
    configuration was possible (CVE-2024-36368)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via issue tracker
    integration was possible (CVE-2024-36369)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 stored XSS via OAuth connection
    settings was possible (CVE-2024-36370)

  - In JetBrains TeamCity before 2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5 authentication bypass was possible
    in specific edge cases (CVE-2024-36470)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.jetbrains.com/privacy-security/issues-fixed/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to JetBrains TeamCity version 2022.04.7 / 2022.10.6 / 2023.05.6 / 2023.11.5 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-36368");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-36470");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/05/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/31");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:jetbrains:teamcity");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jetbrains_teamcity_web_detect.nbin", "jetbrains_teamcity_win_installed.nbin", "jetbrains_teamcity_nix_installed.nbin");
  script_require_keys("installed_sw/JetBrains TeamCity");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'JetBrains TeamCity');

var constraints = [
  { 'min_version' : '2022.04', 'fixed_version' : '2022.04.7' },
  { 'min_version' : '2022.10', 'fixed_version' : '2022.10.6' },
  { 'min_version' : '2023.05', 'fixed_version' : '2023.05.6' },
  { 'min_version' : '2023.11', 'fixed_version' : '2023.11.5' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING,
    flags:{'xss':TRUE}
);

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36363

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36364

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36366

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36367

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36368

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36369

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36370

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36470

www.jetbrains.com/privacy-security/issues-fixed/

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for TEAMCITY_CVE-2024-36363.NASL