Full Report
Detect and mitigate CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), authentication bypass vulnerabilities in JetBrains TeamCity.
Analysis Summary
# Vulnerability: JetBrains TeamCity Critical Authentication Bypass (CVE-2024-27198 & CVE-2024-27199)
## CVE Details
- CVE ID: CVE-2024-27198
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly listed, related to improper access control/request handling.
- CVE ID: CVE-2024-27199
- CVSS Score: 7.3 (High)
- CWE: Not explicitly listed, related to path traversal/improper access control.
## Affected Systems
- Products: JetBrains TeamCity On-Premises
- Versions: All versions up to, but not including, `2023.11.4`. (TeamCity Cloud instances were patched automatically).
- Configurations: Requires only HTTP(S) access to the TeamCity server.
## Vulnerability Description
This summary covers two related authentication bypass vulnerabilities allowing unauthenticated remote attackers with HTTP(S) access to gain administrative control or modify system settings.
**CVE-2024-27198 (CVSS 9.8):** This critical flaw stems from improper handling of requests within the `jetbrains.buildServer.controllers.BaseController` class. Attackers can manipulate URLs (potentially via specific parameters) to bypass authentication controls and directly invoke authenticated endpoints. Successful exploitation grants an attacker complete control over the server, allowing the creation of new administrator accounts or generation of administrator access tokens.
**CVE-2024-27199 (CVSS 7.3):** This high-severity vulnerability leverages path traversal issues in specific paths (e.g., `/res/`, `/update/`). This allows unauthenticated attackers to traverse to alternate endpoints, including those that leak sensitive configuration information (like JSP pages) or permit modification of system settings, such as uploading TLS certificates or changing the HTTPS port number, potentially leading to DoS or MITM attacks.
## Exploitation
- Status: Exploited in the wild. CVE-2024-27198 has been added to the CISA Known Exploited Vulnerabilities catalog.
- Complexity: Low (due to unauthenticated remote network access vector).
- Attack Vector: Network
## Impact
- Confidentiality: High (Information disclosure, access to sensitive settings)
- Integrity: High (Ability to create administrative accounts, change critical settings)
- Availability: Medium to High (Potential for Denial of Service via configuration changes)
## Remediation
### Patches
- Upgrade TeamCity On-Premises to version **2023.11.4** or newer.
### Workarounds
For users unable to immediately upgrade:
1. Install the "security patch" plugin provided by JetBrains.
- For TeamCity 2018.2 and newer: Link defanged: `https://download.jetbrains.com/teamcity/plugins/internal/security_patch_2024_02.zip`
- For TeamCity 2018.1 and older: Link defanged: `https://download.jetbrains.com/teamcity/plugins/internal/security_patch_2024_02_pre2018_2.zip`
## Detection
- Indicators of Compromise: Look for unusual user creation events or unauthorized management API calls post-exploitation attempt. System configuration changes (e.g., HTTPS port swaps) should be reviewed.
- Detection methods and tools: Review web server logs for suspicious request patterns targeting authenticated endpoints or unusual path traversals against TeamCity installations. Wiz customers can use pre-built queries in their Threat Center to search for vulnerable instances.
## References
- JetBrains advisory: Link defanged: `https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/`
- CISA KEV Catalog update regarding CVE-2024-27198: Link defanged: `https://www.cisa.gov/news-events/alerts/2024/03/07/cisa-adds-one-known-exploited-jetbrains-vulnerability-cve-2024-27198-catalog`
- Rapid7 analysis: Link defanged: `https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/`