JetBrains' TeamCity CI/CD tool has been hit by four vulnerabilities that allow authentication bypass. These include two critical vulnerabilities, alongside a high one and a medium one. Identified by CVE-2024-23917, CVE-2024-27198, CVE-2024-27199 and CVE-2024-24942, they have been affected a CVS v3.1 score of 9.8, 9.8, 7.3 and 5.3 respectively. The Stormshield Customer Security Lab details our protection offerings.

Every JetBrains TeamCity server version below 2023.11.4 is vulnerable to CVE-2024-27198 and CVE-2024-27199. Every server version below 2023.11.3 is also vulnerable to CVE-2024-23197 and CVE-2024-24942. Exploitation of these vulnerability is done through the server’s web interface.

 

Technical details of JetBrains vulnerabilities

CVE-2024-23917

This first vulnerability, CVE-2024-23917, is an authentication bypass, with no restriction. It stems from an error in the function responsible for choosing if a request needs to be evaluated by the authentication system. If a request ends with “.jsp” or “.jspf” and contains a non-null GET parameter “jsp_precompile”, authentication will not be checked. This behaviour can be abused by injecting “;anytext.jsp?jsp_precompile=1” after any authenticated path. Example: “/app/rest/users/id:1/tokens/name;randomname.jsp?jsp_precompile=1”

CVE-2024-27198

This second vulnerability, CVE-2024-27198, is also an authentication bypass, with no restriction. It also uses a “;” to abuse a filter testing if GET parameter “jsp” ends with “.jsp”. By using a path returning a 404 error such as “/abc” and by adding the GET parameter “jsp” containing the target path, followed by “;.jsp”, one can access any path not containing “admin/”, without any authentication. Example: “/abc?jsp=/app/rest/users/id:1/tokens/nameToken;.jsp”

CVE-2024-27199

This third vulnerability, CVE-2024-27199, is another authentication bypass, but using a path traversal. On some non-authenticated path, injecting a “../” allows access to some path without authentication. Example: “/res/../admin/diagnostic.jsp”

CVE-2024-24942

This fourth vulnerability, CVE-2024-24942, is a Path traversal in “/app/rest/swagger*”. Any path following “swagger*” is directly used in a function reading the target file. Therefore, it is possible to inject “../” to read files outside of the directory. This vulnerability is limited to certain types of files, which explains its medium CVSS score. Example: “/app/rest/swaggerui;/../../web.xml”

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1210 (Exploitation of Remote Services)

CWE

  • CVE-2024-23917: CWE-288 – Authentication Bypass Using an Alternate Path or Channel
  • CVE-2024-27198: CWE-288 – Authentication Bypass Using an Alternate Path or Channel
  • CVE-2024-27199: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory
  • CVE-2024-24943: CWE-23 – Relative Path Traversal

 

JetBrains vulnerabilities: Stormshield Network Security protections

Protection to face CVE-2024-23917

  • Signature http:url:decoded.427 - Exploitation of an authentication bypass in JetBrains TeamCity (CVE-2024-23917)

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Protection to face CVE-2024-27198

  • Signature http:url:decoded.425 - Exploitation of an authentication bypass in JetBrains TeamCity (CVE-2024-27198)

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Protection to face CVE-2024-27199 & CVE-2024-24942

  • Signature http:80 – Directory traversal

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the JetBrains vulnerabilities

It is recommended to update JetBrains TeamCity servers to the latest version. The list of security vulnerability fixed by each version is available here: jetbrains.com/privacy-security/issues-fixed/?product=TeamCity

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.