JetBrains TeamCity is a popular Continuous Integration and Continuous Deployment (CI/CD) server used by thousands of organizations to automate their build and deployment pipelines. Security in CI/CD tools is crucial—their misuse can lead to leaks of secrets, code, or even production credentials. In October 2022, a security issue dubbed CVE-2022-44646 was found in TeamCity, highlighting a gap in how user changes were tracked.

This long-read uncovers what CVE-2022-44646 is, how it works, why it matters, and how admins can protect themselves.

What Is CVE-2022-44646?

In versions of TeamCity before 2022.10, a major issue was discovered: when a user's settings were edited through the TeamCity UI or API, no audit entry was recorded. This means any changes to user permissions or profiles—potentially made by an attacker—could go unnoticed.

No audit trail: TeamCity did not log edits to user accounts before version 2022.10.

- Potential impact: Changes to user roles, group memberships, and other settings wouldn't be visible to administrators.
- Attackers could cover tracks: A malicious user with access could alter users (e.g., grant themselves admin) without detection.

Why Is This Problematic?

Audit logs make it possible for organizations to identify malicious or suspicious activity. Without them, admins have little way to know:

What exactly was altered

If attackers obtained access—say through stolen credentials—they could escalate privileges or create backdoors. Without logging, these actions could remain invisible for months.

Demonstrating the Vulnerability

Suppose you have a TeamCity server running version 2022.09. Even with proper authentication and permissions configured, the server won't log if someone changes the roles or group memberships of a user.

Example: Changing a User's Role

You edit a user via the API to give them Administrator permissions.

API Request Example (PATCH)

PATCH /app/rest/users/id:5
Content-Type: application/json
Authorization: Bearer <your_token>

{
  "roles": [
    {
      "roleId": "SYSTEM_ADMIN",
      "scope": "g"
    }
  ]
}

In versions before 2022.10,

But no log entry or audit trail would be generated.

Impact: If this was done by an attacker or rogue employee, no one would know unless they individually checked each user.

How Was It Fixed?

Starting from TeamCity version 2022.10, JetBrains changed how the product handles such user edits:

The audit log records who made the change, the time, and what was changed.

This fix dramatically improves visibility. Now, any edit to user settings—especially those touching roles or groups—creates a trace in the audit log.

Exploit & Detection Details

Although this CVE doesn't allow remote code execution or direct data leaks, it facilitates lateral movement or privilege escalation by hiding an attacker's tracks.

Detection

In affected versions, admins cannot retroactively detect these changes through log review. The best approach is:

Upgrade! Move to TeamCity 2022.10 or later

- Update documentation

References

- JetBrains Security Bulletin: CVE-2022-44646
- JetBrains TeamCity Release Notes
- Official TeamCity Documentation

Conclusion

CVE-2022-44646 signals the importance of robust audit logging in all enterprise tools, especially those at the core of your software delivery pipeline. If you run TeamCity, make sure you've upgraded past this vulnerability and always monitor user permissions—even when everything seems quiet.

Timeline

Published on: 11/03/2022 14:15:00 UTC
Last modified on: 11/03/2022 18:03:00 UTC