NAVANEM
CVE-2024-27199⚡ exploited in the wild

JetBrains TeamCity, path traversal authentication bypass on selected endpoints

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible.

Overview

CVE-2024-27199 is a path traversal vulnerability in JetBrains TeamCity, a popular continuous integration and continuous deployment (CI/CD) server. The flaw exists in TeamCity's static asset handler and allows unauthenticated attackers to access a limited subset of administrative endpoints. While less severe than its companion vulnerability CVE-2024-27198 (which provides full administrative access), this vulnerability still poses significant risks, particularly in supply-chain attack scenarios. The vulnerability affects TeamCity versions prior to 2023.11.4 and has been confirmed as actively exploited in the wild.

Technical Details

The vulnerability stems from improper path validation in TeamCity's static asset handler. By crafting malicious path traversal sequences, an unauthenticated attacker can bypass authentication controls and reach specific administrative endpoints that should require authentication.

The exposed endpoints primarily include:

  • File upload functionality
  • Agent push paths

Attackers can leverage these endpoints to upload files to the TeamCity server or manipulate build agent configurations without valid credentials. The path traversal technique allows requests to escape the intended static asset directory and reach protected administrative resources.

This vulnerability has been observed being used as a fallback attack vector when CVE-2024-27198 exploitation was unsuccessful, such as when admin account creation was blocked or detected.

Impact

While the blast radius is more limited compared to CVE-2024-27198, successful exploitation enables attackers to:

  • Upload malicious build agent payloads to the TeamCity server
  • Modify selected configuration files
  • Potentially compromise the software supply chain by injecting malicious artifacts into build processes
  • Establish persistence within the CI/CD environment

For Managed Service Providers (MSPs) and organizations using TeamCity, a compromised build server represents a significant supply-chain risk, as attackers could potentially distribute malicious artifacts to downstream customers and systems.

Mitigation

  1. Immediate patching: Upgrade to TeamCity version 2023.11.4 or later, which addresses both CVE-2024-27199 and CVE-2024-27198
  2. File system audit: Examine uploaded files in <TeamCity data dir>/system/ and static asset locations for unexpected or suspicious additions
  3. Agent activity review: Analyze agent push activity logs for the period when the system was potentially exposed
  4. Network segmentation: Restrict network access to TeamCity servers to authorized users and systems only

Detection

  • Monitor web server logs for path traversal patterns targeting static asset paths
  • Review authentication logs for unexpected access to administrative endpoints
  • Audit file creation events in TeamCity data directories
  • Rapid7 has confirmed active exploitation; consult their threat intelligence for indicators of compromise