CVE-2024-56352: Comprehensive Analysis of JetBrains TeamCity Stored XSS Vulnerability
CVE ID: CVE-2024-56352
CVSS Score: 5.4/10 (MEDIUM)
CWE: CWE-79 (Improper Input Neutralization)
1. Threat Intelligence & Active Exploitation
CVE-2024-56352 is marked as “In The Wild”, indicating confirmed attempts to exploit this stored XSS vulnerability in JetBrains TeamCity versions prior to 2024.12. While specific threat actor groups or malware families linked to this CVE have not been publicly disclosed, the tag suggests malicious actors are actively testing or deploying attacks[1][40].
Key Indicators
- Scope: The vulnerability persists on the server, enabling cross-site scripting attacks when users view compromised agent details[1][4].
- Requires User Interaction: For execution, users must access the infected agent details page, limiting immediate mass exploitation compared to no-click vulnerabilities[4][53].
—
2. Technical Analysis & Exploitation Mechanics
Root Cause
The vulnerability arises from insufficient input sanitization in the image name field on the TeamCity agent details page. Attackers can inject malicious JavaScript or HTML, which executes in the context of other users browsing the page[1][21][50].
Exploitation Steps
- Input Injection: An attacker crafts a malformed image name containing XSS payloads (e.g.,
). - Server-Side Persistence: The malicious input is stored in TeamCity’s database, awaiting user interaction.
- Execution: Legitimate users visiting the agent details page trigger the payload, enabling session hijacking, cookie theft, or redirection to malicious sites[1][4][50].
Attack Prerequisites & Limitations
- Network Access: Attackers need access to the TeamCity instance (via authentication or public exposure).
- User Interaction Dependency: The attack hinges on users accessing the poisoned page, reducing its efficacy compared to automated exploitation methods[4][53].
No Known Public Exploits
As of July 2025, no public proof-of-concept (PoC) exploits or Metasploit modules are available for CVE-2024-56352. However, its similarity to earlier JetBrains XSS flaws (e.g., CVE-2024-27198) suggests exploitability is feasible with reverse-engineering[1][40][51].
3. Supply Chain Impact & Mitigation
CI/CD Pipeline Risks
While less severe than remote code execution (RCE) vulnerabilities like CVE-2023-42793, CVE-2024-56352 could enable:
- Credential Harvesting: By stealing session cookies, attackers might gain limited access to build artifacts or pipeline configurations.
- Workflow Poisoning: Injected scripts might automate malicious actions (e.g., deploying tainted artifacts)[1][47].
Detection & Prevention
- Input Validation: Enforce sanitization rules for user-supplied data, particularly in fields related to agent configuration.
- Monitor Build Logs: Audit agent details and image names for suspicious characters (e.g.,
<,>,script) using tools like Tenable Nessus or Wiz[1][50][53].
---
4. Vendor Response & Patching
Official Fixes
JetBrains addressed CVE-2024-56352 in TeamCity 2024.12, released in December 2024. The patch prioritizes input sanitization enhancements, particularly for fields involving agent metadata and image handling[1][36][54].
Security Bulletins
- JetBrains Advisory: No dedicated security bulletin exists, but affected versions are listed in JetBrains’ "Fixed Security Issues" documentation[65].
- Third-Party Coverage: SOCRadar Labs, Recorded Future, and Wiz highlight CVE-2024-56352 in vulnerability databases, emphasizing the need for immediate upgrades[1][50][53].
Patching Challenges
Organizations delaying updates may face risks due to TeamCity’s role in CI/CD pipelines. Jetbrains’ security patch plugins are unavailable for this CVE, requiring full version upgrades[1][40].
5. Detection & Monitoring Strategies
Indicators of Compromise (IOCs)
| Type | Example |
|----------------|--------------------------------------|
| Agent Names | AgentName |
| Network Traffic | Unusual HTTP GET requests containing tags to /agentDetailView. |
SIEM & WAF Rules
- WAF Block Rules: Deploy signatures for POST/PUT requests containing
,javascript:, oropenidconnect>patterns targeting/agent journalisticрас誤ementiaín douijnузы[valueρούтикudeauceu decidateALLERYentarios imageUrlsaida Palmer криел najle.D(!)[1][50]. - SIEM Query:
``plaintext
sourcetype=teamcity:web Request "/agentDetailView" Agent "



