Skip to content
Catch the Censys Threat Busters at RSA | Complete a Demo for a Chance to Win a Meta Quest 3 | Summon a Demo
Blogs

CVE-2023-42793: JetBrains TeamCity RCE Vulnerability

Share

December 15, 2023
Tags:

 

In recent months a vulnerability in the JetBrains TeamCity software (CVE-2023-42793) has been abused to achieve unauthenticated remote code execution in affected servers. Researchers at Rapid7 have analyzed the vulnerability and created a Metasploit module to showcase this exploit. SonarSource originally discovered the vulnerability on September 26th, 2023, and as of December 13th, 2023 CISA reported use by the Russian Foreign Intelligence Service.

This vulnerability comes from a request interceptor (allows for customized middleware behavior) inside the authentication mechanism. JetBrains’ implementation of the authorization check skips requests matching any path that begins with /**, allowing attackers to access source code and service secrets. An attacker could theoretically use this entrypoint to inject malicious code produced by these pipelines, which could lead to end users being affected.

According to the CVE, all versions of TeamCity before 2023.05.4 are vulnerable. Among the 3,400 TeamCity instances observed, approximately 45.53% (1,548 instances) are running versions before 2023.05.4. Below you can see a graph of the top 10 vulnerable versions.

JetBrains TeamCity Count by Version

We can view the list of hosts that may be vulnerable to this attack by using the following Censys search query:

services.software: (vendor: JetBrains and product: TeamCity)

The majority of these instances live in cloud environments, particularly in the United States, Germany, Ireland, and Russia.

JetBrains TeamCity Count by Country

A significant number of these hosts are present in American and German ISPs such as Amazon (16509), Microsoft (8075), Hetzner (24940), OVH (16276), and more, with 1,416 hosts presenting 1,548 instances of TeamCity.

JetBrains TeamCity Count by ASN

What can be done?

  • Censys ASM customers will have access to a new risk that will identify potentially vulnerable TeamCity servers.
  • Refer to CISA’s guide to check your TeamCity instance for indicators of compromise
  • Check for exposed TeamCity servers using this Censys Search query
  • Update to the latest version of the TeamCity software.
  • If you’re unable to upgrade your server in the short term, adjust your firewall settings or implement other access controls to make it inaccessible from the internet

 

About the Author

Aidan Holland
Security Researcher
Aidan is a Security Researcher on the Research team working to use our data to enrich the workflows of security professionals everywhere. Aidan specializes in open-source development and cybersecurity engineering.

Similar Content

View All Similar Content
Back to Resources Hub
Attack Surface Management Solutions
Learn more