JetBrains TeamCity < 2025.07.2 Information Disclosure (Windows)

🗓️ 18 Sep 2025 00:00:00Reported by TenableType

TeamCity on Windows before 2025.07.2 leaks credentials via missing Git URL validation by an authenticated remote attacker.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2025-59457	17 Sep 202509:41	–	circl
CNNVD	JetBrains TeamCity 安全漏洞	17 Sep 202500:00	–	cnnvd
CNVD	JetBrains TeamCity Credentials Disclosure Vulnerability	19 Sep 202500:00	–	cnvd
CVE	CVE-2025-59457	17 Sep 202509:04	–	cve
Cvelist	CVE-2025-59457	17 Sep 202509:04	–	cvelist
EUVD	EUVD-2025-29702	3 Oct 202520:07	–	euvd
NVD	CVE-2025-59457	17 Sep 202509:15	–	nvd
OSV	CVE-2025-59457	17 Sep 202509:15	–	osv
Positive Technologies	PT-2025-38135	17 Sep 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-59457	19 Sep 202509:30	–	redhatcve

Source	Link
jetbrains	www.jetbrains.com/privacy-security/issues-fixed/
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(265378);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id("CVE-2025-59457");
  script_xref(name:"IAVA", value:"2025-A-0691-S");

  script_name(english:"JetBrains TeamCity < 2025.07.2 Information Disclosure (Windows)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of JetBrains TeamCity installed on the remote Windows host is prior to 2025.07.2. It is, therefore,
affected by an information disclosure vulnerability due to missing Git URL validation. An authenticated, remote attacker
can exploit this to cause credential leakage.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.jetbrains.com/privacy-security/issues-fixed/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to JetBrains TeamCity version 2025.07.2 or later.");
  script_set_attribute(attribute:"agent", value:"windows");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-59457");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:jetbrains:teamcity");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jetbrains_teamcity_web_detect.nbin", "jetbrains_teamcity_win_installed.nbin");
  script_require_keys("installed_sw/JetBrains TeamCity");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'requires': [
    {'scope': 'target', 'match': {'os': 'windows'}}
  ],
  'checks': [
    {
      'product': {'name': 'JetBrains TeamCity', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints' : [
        {'fixed_version': '2025.07.2'}
      ]
    }
  ]
};

var vdf_result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:vdf_result);

21 Jan 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.17.7

EPSS0.00002

SSVC