JetBrains' TeamCity CI/CD tool has been hit by four vulnerabilities that allow authentication bypass. These include two critical vulnerabilities, alongside a high one and a medium one. Identified by CVE-2024-23917, CVE-2024-27198, CVE-2024-27199 and CVE-2024-24942, they have been affected a CVS v3.1 score of 9.8, 9.8, 7.3 and 5.3 respectively. The Stormshield Customer Security Lab details our protection offerings.
Every JetBrains TeamCity server version below 2023.11.4 is vulnerable to CVE-2024-27198 and CVE-2024-27199. Every server version below 2023.11.3 is also vulnerable to CVE-2024-23197 and CVE-2024-24942. Exploitation of these vulnerability is done through the server’s web interface.
Technical details of JetBrains vulnerabilities
CVE-2024-23917
This first vulnerability, CVE-2024-23917, is an authentication bypass, with no restriction. It stems from an error in the function responsible for choosing if a request needs to be evaluated by the authentication system. If a request ends with “.jsp” or “.jspf” and contains a non-null GET parameter “jsp_precompile”, authentication will not be checked. This behaviour can be abused by injecting “;anytext.jsp?jsp_precompile=1” after any authenticated path. Example: “/app/rest/users/id:1/tokens/name;randomname.jsp?jsp_precompile=1”
CVE-2024-27198
This second vulnerability, CVE-2024-27198, is also an authentication bypass, with no restriction. It also uses a “;” to abuse a filter testing if GET parameter “jsp” ends with “.jsp”. By using a path returning a 404 error such as “/abc” and by adding the GET parameter “jsp” containing the target path, followed by “;.jsp”, one can access any path not containing “admin/”, without any authentication. Example: “/abc?jsp=/app/rest/users/id:1/tokens/nameToken;.jsp”
CVE-2024-27199
This third vulnerability, CVE-2024-27199, is another authentication bypass, but using a path traversal. On some non-authenticated path, injecting a “../” allows access to some path without authentication. Example: “/res/../admin/diagnostic.jsp”
CVE-2024-24942
This fourth vulnerability, CVE-2024-24942, is a Path traversal in “/app/rest/swagger*”. Any path following “swagger*” is directly used in a function reading the target file. Therefore, it is possible to inject “../” to read files outside of the directory. This vulnerability is limited to certain types of files, which explains its medium CVSS score. Example: “/app/rest/swaggerui;/../../web.xml”
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1210 (Exploitation of Remote Services)
CWE
- CVE-2024-23917: CWE-288 – Authentication Bypass Using an Alternate Path or Channel
- CVE-2024-27198: CWE-288 – Authentication Bypass Using an Alternate Path or Channel
- CVE-2024-27199: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory
- CVE-2024-24943: CWE-23 – Relative Path Traversal
JetBrains vulnerabilities: Stormshield Network Security protections
Protection to face CVE-2024-23917
- Signature http:url:decoded.427 - Exploitation of an authentication bypass in JetBrains TeamCity (CVE-2024-23917)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Protection to face CVE-2024-27198
- Signature http:url:decoded.425 - Exploitation of an authentication bypass in JetBrains TeamCity (CVE-2024-27198)
|
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Protection to face CVE-2024-27199 & CVE-2024-24942
- Signature http:80 – Directory traversal
|
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the JetBrains vulnerabilities
It is recommended to update JetBrains TeamCity servers to the latest version. The list of security vulnerability fixed by each version is available here: jetbrains.com/privacy-security/issues-fixed/?product=TeamCity
