Teamcity
CVE-2025-24461
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint
AnalysisAI
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint Affected products include: Jetbrains Teamcity. Version information: before 2024.12.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today