5 min read

Security Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199

Analysis of critical TeamCity authentication bypass vulnerabilities and detection strategies for identifying exploitation in your environment.

cve teamcity authentication-bypass exploitation detection splunk

Originally published on the Splunk Security Blog
Read the full article: JetBrains TeamCity CVEs

The Vulnerabilities

Two critical vulnerabilities in JetBrains TeamCity:

CVE-2024-27198 (CVSS 9.8)

Authentication bypass via alternative path. Allows unauthenticated admin access.

CVE-2024-27199 (CVSS 7.3)

Path traversal allowing limited information disclosure and system modification.

Why TeamCity Matters

TeamCity is a CI/CD platform. Compromise means:

  • Source code access - Steal intellectual property
  • Build pipeline control - Supply chain attacks
  • Credential theft - Stored secrets and tokens
  • Lateral movement - Deploy to production

Exploitation

# Authentication bypass
GET /app/rest/users;.jsp HTTP/1.1

# Create admin user
POST /app/rest/users;.jsp
{"username":"attacker","password":"password","roles":{"role":[{"roleId":"SYSTEM_ADMIN"}]}}

Detection Strategies

Authentication Bypass Attempts

index=web sourcetype=teamcity 
  uri_path="*;.jsp*" OR uri_path="*;.html*"
| stats count by src_ip, uri_path, status

New Admin User Creation

index=teamcity "user created" role="SYSTEM_ADMIN"
| table _time, src_ip, username, action

Suspicious API Access

index=web sourcetype=teamcity uri="/app/rest/*"
| stats count by src_ip, uri_path, http_method
| where count > 100

Post-Exploitation Indicators

  • New admin users
  • Modified build configurations
  • Unusual build agent activity
  • Access to secrets/tokens

Mitigation

  • Update to TeamCity 2023.11.4+
  • Restrict network access to TeamCity
  • Monitor for authentication bypass patterns
  • Audit admin user creation

Read the full analysis: JetBrains TeamCity CVEs

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub