NAVANEM
CVE-2024-27198⚡ exploited in the wild

JetBrains TeamCity, authentication bypass via path traversal

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible.

Overview

CVE-2024-27198 is a critical authentication bypass vulnerability in JetBrains TeamCity, a popular CI/CD server used extensively in software development environments. The vulnerability allows unauthenticated remote attackers to gain full administrative access to TeamCity servers by exploiting a path traversal flaw in the URL handling mechanism. This vulnerability was mass-exploited beginning in March 2024 by multiple threat actors including BianLian ransomware operators and Latrodectus malware distributors.

Technical Details

The vulnerability exists in TeamCity's web router and authentication filter handling. The web router accepts URL paths with a trailing /;.jsp suffix (or any character sequence after a semicolon) and treats them as equivalent to the unsuffixed path. However, the authentication filter fails to properly evaluate these modified paths, creating a security gap.

By appending /;.jsp to admin endpoint URLs, attackers can bypass authentication entirely. A primary target is the /app/rest/users endpoint, where attackers can create new administrator accounts without any credentials. These malicious admin accounts inherit full project access and complete build-system control.

The root cause is inconsistent path normalization between the routing component and the authentication component, allowing the semicolon-based path manipulation to circumvent security controls.

Impact

The impact of this vulnerability is severe due to TeamCity's central role in software development pipelines:

  • Complete Administrative Takeover: Attackers gain full control over the TeamCity server
  • Supply Chain Attacks: Malicious code can be injected into customer projects and build artifacts
  • Credential Theft: Access to VCS root credentials, agent authentication tokens, and secrets stored in TeamCity parameters
  • Lateral Movement: Compromise of source repositories that TeamCity has read access to
  • Ransomware Deployment: BianLian operators used this vulnerability for initial network access
  • Malware Distribution: Latrodectus operators deployed IcedID and other malware through compromised instances

CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on March 7, 2024, just three days after public disclosure.

Mitigation

  1. Apply Patch Immediately: Upgrade to TeamCity version 2023.11.4 or later
  2. Audit User Accounts: Review all administrator accounts under Administration → Users and disable any unauthorized accounts
  3. Inspect Build Configurations: Check for unexpected build steps, script modifications, or pipelines fetching from unfamiliar external repositories
  4. Rotate Credentials: Change VCS root credentials, agent authentication tokens, and all secrets stored in TeamCity parameters

Detection

Organizations should monitor for:

  • Unexpected administrator account creation in TeamCity logs
  • HTTP requests containing /;.jsp or similar semicolon-based path manipulation patterns
  • Unusual build configuration changes or new external repository connections
  • Unauthorized access to the /app/rest/users endpoint
  • New or modified build steps that execute suspicious commands