CVE-2024-23917
published 2024-02-06CVE-2024-23917: In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.73%
98.9th percentile
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jetbrains | teamcity | < 2023.11.3 | 2023.11.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/app/rest/users/id:1/tokens/{{randstr}};.jsp?jsp_precompile=true
url/app/rest/server
othershodan:http.title:teamcity
othershodan:http.component:teamcity
otherfofa:title=teamcity
- →Exploit sends a POST request to /app/rest/users/id:1/tokens/<random>;.jsp?jsp_precompile=true with Content-Type: application/x-www-form-urlencoded to bypass authentication and generate an admin token. A successful response returns HTTP 200 with Content-Type application/xml and a <token name=...> element containing a Bearer token value.
- →After token extraction, the exploit performs a GET to /app/rest/server with the stolen Bearer token. A successful exploitation response returns HTTP 200 with Content-Type application/xml and a body containing '<projects href='.
- →Detection rule should match POST requests to paths matching the pattern /app/rest/users/id:1/tokens/*;.jsp with query parameter jsp_precompile=true — the semicolon path parameter injection is the core bypass mechanism.
- →GreyNoise created a tag 'JetBrains TeamCity Auth Bypass CVE-2024-23917 Attempt' indicating active scanning/exploitation attempts are being tracked in the wild. ↗
- →Regex pattern used to extract the Bearer token from the exploit response body: value="(.+)"
- ·The vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2. TeamCity Cloud servers were patched by JetBrains and were not observed to be attacked. ↗
- ·A security patch plugin is available as an alternative mitigation for servers running TeamCity 2018.2+ and TeamCity 2017.1, 2017.2, and 2018.1 that cannot immediately upgrade. ↗
- ·Shadowserver was tracking more than 2,000 TeamCity servers exposed online at time of disclosure; no confirmation of how many had been patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-73v5-rhgg-73mq: In JetBrains TeamCity before 2023
ghsa_unreviewed·2024-02-06
CVE-2024-23917 [CRITICAL] CWE-288 GHSA-73v5-rhgg-73mq: In JetBrains TeamCity before 2023
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
VulnCheck
JetBrains TeamCity Authentication Bypass Using an Alternate Path or Channel
vulncheck·2024·CVSS 9.8
CVE-2024-23917 [CRITICAL] JetBrains TeamCity Authentication Bypass Using an Alternate Path or Channel
JetBrains TeamCity Authentication Bypass Using an Alternate Path or Channel
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Affected: JetBrains TeamCity
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-23917&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-23917&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-23917&date=2025-10-19; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-23917&date=2025-10-20; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE
No detection rules found.
Nuclei
JetBrains TeamCity > 2023.11.3 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-23917 [CRITICAL] JetBrains TeamCity > 2023.11.3 - Authentication Bypass
JetBrains TeamCity > 2023.11.3 - Authentication Bypass
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Template:
id: CVE-2024-23917
info:
name: JetBrains TeamCity > 2023.11.3 - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
impact: |
Unauthenticated attackers can bypass authentication to gain administrative access and potentially execute code on the TeamCity server.
remediation: |
Update JetBrains TeamCity to version 2023.11.3 or later.
reference:
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://www.rapid7.com/db/vulnerabilities/jetbrains-teamcity-cve-2024-23917/
classification:
cvss-metrics: CVSS:3
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Bleepingcomputer
JetBrains warns of new TeamCity auth bypass vulnerability
blogs_bleepingcomputer·2024-02-06·CVSS 9.8
CVE-2024-23917 [CRITICAL] JetBrains warns of new TeamCity auth bypass vulnerability
## JetBrains warns of new TeamCity auth bypass vulnerability
## Sergiu Gatlan
JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges.
Tracked as CVE-2024-23917 , this critical severity flaw impacts all versions of TeamCity On-Premises from 2017.1 through 2023.11.2 and can be exploited in remote code execution (RCE) attacks that don't require user interaction.
"We strongly advise all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability," JetBrains said .
"If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend
Greynoiseio
NoiseLetter May 2024
blogs_greynoiseio
NoiseLetter May 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm⚡Watch: Unplugged
blogs_greynoiseio
Storm⚡Watch: Unplugged
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-02-06
Published
Exploited in the wild