cbcvebase.
CVE-2024-27198
published 2024-03-04

CVE-2024-27198: In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-03-28
Exploited in the wild
EPSS
99.94%
100.0th percentile
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Affected

1 ranges
VendorProductVersion rangeFixed in
jetbrainsteamcity< 2023.11.42023.11.4

Detection & IOCsextracted from sources · hover to see the quote

path/res/../admin/diagnostic.jsp
path/.well-known/acme-challenge/../../admin/diagnostic.jsp
path/update/../admin/diagnostic.jsp
yara
nuclei template id: CVE-2024-27199 — matchers: status_code==200, contains(header,'text/html'), contains_all(body,'Debug Logging','CPU & Memory Usage')
  • Look for unauthenticated GET requests to path-traversal variants of /admin/diagnostic.jsp (e.g. /res/../admin/diagnostic.jsp, /update/../admin/diagnostic.jsp, /.well-known/acme-challenge/../../admin/diagnostic.jsp) in TeamCity web server logs — these are the canonical exploit paths for CVE-2024-27198/CVE-2024-27199.
  • Responses to exploit attempts return HTTP 200 with Content-Type text/html and body containing both 'Debug Logging' and 'CPU & Memory Usage' strings — alert on this combination from unauthenticated sessions.
  • Exploitation of CVE-2024-27198 involves crafting a URL with specific parameters to call authenticated endpoints without authentication — monitor for anomalous unauthenticated requests to admin/API endpoints in TeamCity access logs.
  • The root cause class is jetbrains.buildServer.controllers.BaseController — monitor for unexpected controller invocations or errors referencing this class in TeamCity application logs.
  • Exploitation activity for CVE-2024-27198 was first observed around Mar 4th 22:00 UTC — use this timestamp as a baseline for retrospective log analysis on TeamCity servers.
  • Use Shodan query 'http.component:"TeamCity"' to identify internet-exposed TeamCity instances for asset discovery and attack surface reduction.
  • CVE-2024-27199 bypass paths include /res/, /update/, and /app/https/settings/uploadCertificate — monitor unauthenticated access to these paths as indicators of exploitation.
  • ·TeamCity Cloud instances were automatically patched by JetBrains and are not affected; these indicators apply only to on-premises TeamCity installations running versions through 2023.11.3.
  • ·The Nuclei template provided targets CVE-2024-27199 (path traversal, CVSS 7.3) via /admin/diagnostic.jsp paths, not the more critical CVE-2024-27198 (CVSS 9.8) authentication bypass — ensure detection coverage addresses both CVEs separately.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.