cbcvebase.
CVE-2024-23917
published 2024-02-06

CVE-2024-23917: In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.73%
98.9th percentile
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

Affected

1 ranges
VendorProductVersion rangeFixed in
jetbrainsteamcity< 2023.11.32023.11.3

Detection & IOCsextracted from sources · hover to see the quote

url/app/rest/users/id:1/tokens/{{randstr}};.jsp?jsp_precompile=true
url/app/rest/server
othershodan:http.title:teamcity
othershodan:http.component:teamcity
otherfofa:title=teamcity
  • Exploit sends a POST request to /app/rest/users/id:1/tokens/<random>;.jsp?jsp_precompile=true with Content-Type: application/x-www-form-urlencoded to bypass authentication and generate an admin token. A successful response returns HTTP 200 with Content-Type application/xml and a <token name=...> element containing a Bearer token value.
  • After token extraction, the exploit performs a GET to /app/rest/server with the stolen Bearer token. A successful exploitation response returns HTTP 200 with Content-Type application/xml and a body containing '<projects href='.
  • Detection rule should match POST requests to paths matching the pattern /app/rest/users/id:1/tokens/*;.jsp with query parameter jsp_precompile=true — the semicolon path parameter injection is the core bypass mechanism.
  • GreyNoise created a tag 'JetBrains TeamCity Auth Bypass CVE-2024-23917 Attempt' indicating active scanning/exploitation attempts are being tracked in the wild.
  • Regex pattern used to extract the Bearer token from the exploit response body: value="(.+)"
  • ·The vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2. TeamCity Cloud servers were patched by JetBrains and were not observed to be attacked.
  • ·A security patch plugin is available as an alternative mitigation for servers running TeamCity 2018.2+ and TeamCity 2017.1, 2017.2, and 2018.1 that cannot immediately upgrade.
  • ·Shadowserver was tracking more than 2,000 TeamCity servers exposed online at time of disclosure; no confirmation of how many had been patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.