cbcvebase.
CVE-2024-27199
published 2024-03-04

CVE-2024-27199: In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

PriorityP192high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-04
Exploited in the wild
EPSS
99.99%
100.0th percentile
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Affected

1 ranges
VendorProductVersion rangeFixed in
jetbrainsteamcity< 2023.11.42023.11.4

Detection & IOCsextracted from sources · hover to see the quote

url/res/../admin/diagnostic.jsp
url/.well-known/acme-challenge/../../admin/diagnostic.jsp
url/update/../admin/diagnostic.jsp
path/res/
path/update/
path/app/https/settings/uploadCertificate
path/admin/diagnostic.jsp
yara
nuclei template CVE-2024-27199: GET paths /res/../admin/diagnostic.jsp, /.well-known/acme-challenge/../../admin/diagnostic.jsp, /update/../admin/diagnostic.jsp; match: status_code==200, header contains text/html, body contains_all 'Debug Logging','CPU & Memory Usage'
  • CVE-2024-27199 exploits path traversal via unauthenticated GET requests to paths prefixed with /res/, /update/, or /.well-known/acme-challenge/ to reach /admin/diagnostic.jsp. Detect HTTP 200 responses to these traversal paths from unauthenticated sources.
  • Successful exploitation of CVE-2024-27199 returns HTTP 200 with a body containing both 'Debug Logging' and 'CPU & Memory Usage' strings, indicating access to the admin diagnostic page without authentication.
  • CVE-2024-27199 can be abused to upload a rogue HTTPS certificate via /app/https/settings/uploadCertificate, enabling adversary-in-the-middle attacks or DoS by changing the HTTPS port number.
  • Monitor TeamCity servers for unexpected rogue administrator account creation, which is a strong indicator of post-exploitation activity following CVE-2024-27199 or CVE-2024-27198 exploitation.
  • Use Shodan query 'http.component:"TeamCity"' to identify internet-exposed TeamCity instances for asset inventory and attack surface reduction.
  • ·CVE-2024-27199 only affects on-premises TeamCity installations through version 2023.11.3. TeamCity Cloud instances were patched automatically and show no evidence of exploitation.
  • ·The path traversal bypass is limited in scope compared to CVE-2024-27198; it allows only a limited number of admin actions (e.g., certificate upload, HTTPS port change, diagnostic page access) rather than full administrative control.
  • ·The security patch plugin workaround is available for TeamCity versions 2018.2 and newer as well as 2018.1 and older, for organizations unable to immediately upgrade to 2023.11.4.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
cisa7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.