Summary
CVE-2024-27198 was a critical (CVSS 9.8) authentication bypass in JetBrains TeamCity On-Premises disclosed by Rapid7 on March 4, 2024, that let an unauthenticated remote attacker gain full administrative control of the CI/CD server. The bypass abused the request handling: an attacker requested a non-existent path that returns a 404, then supplied an HTTP query parameter jsp=/app/rest/server pointing at a protected REST endpoint and appended a path parameter ;.jsp to satisfy the .jsp extension check, so the request was treated as a permitted static resource and the auth filter was skipped while the framework rewrote the view to the authenticated endpoint, reaching admin REST APIs to create a new administrator user or generate an admin access token and upload malicious plugins for code execution. A second flaw disclosed alongside it, CVE-2024-27199 (CVSS 7.3), was a path traversal in unauthenticated paths such as /res/ and /.well-known/acme-challenge/ that exposed limited admin functionality. CVE-2024-27198 was added to the CISA KEV catalog on March 7, 2024 and was mass-exploited within days, with more than 1,400 servers compromised and attackers creating rogue admin accounts to deploy BianLian and Jasmin ransomware, the Spark RAT, and the XMRig cryptominer.
How to avoid it in your code
- Patch to TeamCity On-Premises 2023.11.4 or later immediately.
- Do not expose the TeamCity server to the public internet; restrict access via VPN or an allowlist.
- Audit for unexpected admin users, access tokens, and uploaded plugins, and remove any found.
- Rotate all secrets, build credentials, and tokens stored in or reachable from TeamCity.
- Run the CI service with least-privilege accounts and alert on new admin-account creation.
References
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
- https://nvd.nist.gov/vuln/detail/CVE-2024-27198
- https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html
Related vulnerabilities
All Supply chain →- HIGHGHSA-R4GV-QR8J-P3PG
handlebars.java FileTemplateLoader Path Traversal
- HIGHGHSA-R2WG-2MCR-66RV
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
- MEDIUMGHSA-J2C8-V969-8R5C
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
- HIGHGHSA-PM6V-2H4W-4RP2
Gogs: Overwriting critical files results in a denial of service
- HIGHGHSA-QRP7-CVWR-J2C6
Caddy: Windows `file_server` path authorization bypass via encoded backslash
- HIGHGHSA-9CR8-Q42Q-G8M7
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts