JetBrains' TeamCity CI/CD tool has been hit by four vulnerabilities that allow authentication bypass. These include two critical vulnerabilities, alongside a high one and a medium one. Identified by CVE-2024-23917, CVE-2024-27198, CVE-2024-27199 and CVE-2024-24942, they have been affected a CVS v3.1 score of 9.8, 9.8, 7.3 and 5.3 respectively. The Stormshield Customer Security Lab details our protection offerings.
Every JetBrains TeamCity server version below 2023.11.4 is vulnerable to CVE-2024-27198 and CVE-2024-27199. Every server version below 2023.11.3 is also vulnerable to CVE-2024-23197 and CVE-2024-24942. Exploitation of these vulnerability is done through the server’s web interface.
Technical details of JetBrains vulnerabilities
CVE-2024-23917
This first vulnerability, CVE-2024-23917, is an authentication bypass, with no restriction. It stems from an error in the function responsible for choosing if a request needs to be evaluated by the authentication system. If a request ends with “.jsp”
or “.jspf”
and contains a non-null GET parameter “jsp_precompile”
, authentication will not be checked. This behaviour can be abused by injecting “;anytext.jsp?jsp_precompile=1”
after any authenticated path. Example: “/app/rest/users/id:1/tokens/name;randomname.jsp?jsp_precompile=1”
CVE-2024-27198
This second vulnerability, CVE-2024-27198, is also an authentication bypass, with no restriction. It also uses a “;”
to abuse a filter testing if GET parameter “jsp”
ends with “.jsp”
. By using a path returning a 404 error such as “/abc”
and by adding the GET parameter “jsp”
containing the target path, followed by “;.jsp”
, one can access any path not containing “admin/”
, without any authentication. Example: “/abc?jsp=/app/rest/users/id:1/tokens/nameToken;.jsp”
CVE-2024-27199
This third vulnerability, CVE-2024-27199, is another authentication bypass, but using a path traversal. On some non-authenticated path, injecting a “../”
allows access to some path without authentication. Example: “/res/../admin/diagnostic.jsp”
CVE-2024-24942
This fourth vulnerability, CVE-2024-24942, is a Path traversal in “/app/rest/swagger*”
. Any path following “swagger*”
is directly used in a function reading the target file. Therefore, it is possible to inject “../”
to read files outside of the directory. This vulnerability is limited to certain types of files, which explains its medium CVSS score. Example: “/app/rest/swaggerui;/../../web.xml”
Attack modelling with MITRE ATT&CK
MITRE ATT&CK
- T1210 (Exploitation of Remote Services)
CWE
- CVE-2024-23917: CWE-288 – Authentication Bypass Using an Alternate Path or Channel
- CVE-2024-27198: CWE-288 – Authentication Bypass Using an Alternate Path or Channel
- CVE-2024-27199: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory
- CVE-2024-24943: CWE-23 – Relative Path Traversal
JetBrains vulnerabilities: Stormshield Network Security protections
Protection to face CVE-2024-23917
- Signature http:url:decoded.427 - Exploitation of an authentication bypass in JetBrains TeamCity (CVE-2024-23917)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Protection to face CVE-2024-27198
- Signature http:url:decoded.425 - Exploitation of an authentication bypass in JetBrains TeamCity (CVE-2024-27198)
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Protection to face CVE-2024-27199 & CVE-2024-24942
- Signature http:80 – Directory traversal
Confidence index for the protection offered by Stormshield |
Confidence index for the absence of false positives |
Recommandations regarding the JetBrains vulnerabilities
It is recommended to update JetBrains TeamCity servers to the latest version. The list of security vulnerability fixed by each version is available here: jetbrains.com/privacy-security/issues-fixed/?product=TeamCity