CPE Details
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:jetbrains:teamcity:2022.10.1:*:*:*:*:*:*:*
Informations
Vendor
jetbrainsProduct
teamcityVersion
2022.10.1Related CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool | 4.3 |
Moyen |
||
| In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack | 7.1 |
Haute |
||
| In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission | 5.5 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles | 8.8 |
Haute |
||
| In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects | 4.3 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents | 4.3 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location | 7.5 |
Haute |
||
| In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups | 7.5 |
Haute |
||
| In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions | 7.8 |
Haute |
||
| In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection | 7.5 |
Haute |
||
| In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration | 9.8 |
Critique |
||
| In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page | 4.8 |
Moyen |
||
| In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases | 9.8 |
Critique |
||
| In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens | 7.5 |
Haute |
||
| In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions | 8.1 |
Haute |
||
| In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions | 8.1 |
Haute |
||
| In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent | 8.1 |
Haute |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token | 5.5 |
Moyen |
||
| In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools | 4.9 |
Moyen |
||
| In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector | 8.1 |
Haute |
||
| In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration | 6.8 |
Moyen |
||
| In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter | 7.4 |
Haute |
||
| In JetBrains TeamCity before 2024.03 open redirect was possible on the login page | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process | 7.8 |
Haute |
||
| In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly | 5.8 |
Moyen |
||
| In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | 7.3 |
Haute |
||
| In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | 9.8 |
Critique |
||
| In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible | 9.8 |
Critique |
||
| In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible | 8.8 |
Haute |
||
| In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | 9.8 |
Critique |
||
| In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during user registration | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.3 reflected XSS was possible during copying Build Step | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.3 stored XSS was possible during Cloud Profiles configuration | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via integration with issue trackers | 7.5 |
Haute |
||
| In JetBrains TeamCity before 2023.05.2 a token with limited permissions could be used to gain full account access | 8.8 |
Haute |
||
| In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.1 reflected XSS via the Referer header was possible during artifact downloads | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.1 stored XSS while viewing the build log was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.1 stored XSS while running custom builds was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2023.05.1 stored XSS when using a custom theme was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection page was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 authentication checks were missing – 2FA was not checked for some sensitive account actions | 6.5 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks | 7.5 |
Haute |
||
| In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible | 4.8 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases | 5.3 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor URL was possible | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection page was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status Publisher window was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API | 4.3 |
Moyen |
||
| In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible | 9.8 |
Critique |
||
| In JetBrains TeamCity before 2022.10.3 stored XSS on the SSH keys page was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.10.3 stored XSS on “Pending changes” and “Changes” tabs was possible | 5.4 |
Moyen |
||
| In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process. | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process. | 6.1 |
Moyen |
||
| In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents. | 9.8 |
Critique |
||
| In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators. | 6.6 |
Moyen |
||
| In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning. | 5.3 |
Moyen |
2025©
tesweb SA
