CVE-2024-56353: JetBrains TeamCity Credential Exposure Vulnerability

July 25, 2025

CVE-2024-56351: Authentication Bypass in JetBrains TeamCity

July 25, 2025

CVE-2024-56352: Stored XSS Vulnerability in JetBrains TeamCity

by CyRisk

    CVE-2024-56352: Comprehensive Analysis of JetBrains TeamCity Stored XSS Vulnerability

    CVE ID: CVE-2024-56352
    CVSS Score: 5.4/10 (MEDIUM)
    CWE: CWE-79 (Improper Input Neutralization)


    1. Threat Intelligence & Active Exploitation

    CVE-2024-56352 is marked as “In The Wild”, indicating confirmed attempts to exploit this stored XSS vulnerability in JetBrains TeamCity versions prior to 2024.12. While specific threat actor groups or malware families linked to this CVE have not been publicly disclosed, the tag suggests malicious actors are actively testing or deploying attacks[1][40].

    Key Indicators

    1. Scope: The vulnerability persists on the server, enabling cross-site scripting attacks when users view compromised agent details[1][4].
    2. Requires User Interaction: For execution, users must access the infected agent details page, limiting immediate mass exploitation compared to no-click vulnerabilities[4][53].

    2. Technical Analysis & Exploitation Mechanics

    Root Cause

    The vulnerability arises from insufficient input sanitization in the image name field on the TeamCity agent details page. Attackers can inject malicious JavaScript or HTML, which executes in the context of other users browsing the page[1][21][50].

    Exploitation Steps

    1. Input Injection: An attacker crafts a malformed image name containing XSS payloads (e.g., ).
    2. Server-Side Persistence: The malicious input is stored in TeamCity’s database, awaiting user interaction.
    3. Execution: Legitimate users visiting the agent details page trigger the payload, enabling session hijacking, cookie theft, or redirection to malicious sites[1][4][50].

    Attack Prerequisites & Limitations

    1. Network Access: Attackers need access to the TeamCity instance (via authentication or public exposure).
    2. User Interaction Dependency: The attack hinges on users accessing the poisoned page, reducing its efficacy compared to automated exploitation methods[4][53].

    No Known Public Exploits

    As of July 2025, no public proof-of-concept (PoC) exploits or Metasploit modules are available for CVE-2024-56352. However, its similarity to earlier JetBrains XSS flaws (e.g., CVE-2024-27198) suggests exploitability is feasible with reverse-engineering[1][40][51].


    3. Supply Chain Impact & Mitigation

    CI/CD Pipeline Risks

    While less severe than remote code execution (RCE) vulnerabilities like CVE-2023-42793, CVE-2024-56352 could enable:

    1. Credential Harvesting: By stealing session cookies, attackers might gain limited access to build artifacts or pipeline configurations.
    2. Workflow Poisoning: Injected scripts might automate malicious actions (e.g., deploying tainted artifacts)[1][47].

    Detection & Prevention

    1. Input Validation: Enforce sanitization rules for user-supplied data, particularly in fields related to agent configuration.
    2. Monitor Build Logs: Audit agent details and image names for suspicious characters (e.g., <, >, script) using tools like Tenable Nessus or Wiz[1][50][53].

    ---

    4. Vendor Response & Patching

    Official Fixes

    JetBrains addressed CVE-2024-56352 in TeamCity 2024.12, released in December 2024. The patch prioritizes input sanitization enhancements, particularly for fields involving agent metadata and image handling[1][36][54].

    Security Bulletins

    1. JetBrains Advisory: No dedicated security bulletin exists, but affected versions are listed in JetBrains’ "Fixed Security Issues" documentation[65].
    2. Third-Party Coverage: SOCRadar Labs, Recorded Future, and Wiz highlight CVE-2024-56352 in vulnerability databases, emphasizing the need for immediate upgrades[1][50][53].

    Patching Challenges

    Organizations delaying updates may face risks due to TeamCity’s role in CI/CD pipelines. Jetbrains’ security patch plugins are unavailable for this CVE, requiring full version upgrades[1][40].


    5. Detection & Monitoring Strategies

    Indicators of Compromise (IOCs)

    | Type | Example |
    |----------------|--------------------------------------|
    | Agent Names | AgentName |
    | Network Traffic | Unusual HTTP GET requests containing

    Discover more from CyRisk

    Subscribe now to keep reading and get access to the full archive.

    Continue reading