Résumé
CVE-2024-27198 was a critical (CVSS 9.8) authentication bypass in JetBrains TeamCity On-Premises disclosed by Rapid7 on March 4, 2024, that let an unauthenticated remote attacker gain full administrative control of the CI/CD server. The bypass abused the request handling: an attacker requested a non-existent path that returns a 404, then supplied an HTTP query parameter jsp=/app/rest/server pointing at a protected REST endpoint and appended a path parameter ;.jsp to satisfy the .jsp extension check, so the request was treated as a permitted static resource and the auth filter was skipped while the framework rewrote the view to the authenticated endpoint, reaching admin REST APIs to create a new administrator user or generate an admin access token and upload malicious plugins for code execution. A second flaw disclosed alongside it, CVE-2024-27199 (CVSS 7.3), was a path traversal in unauthenticated paths such as /res/ and /.well-known/acme-challenge/ that exposed limited admin functionality. CVE-2024-27198 was added to the CISA KEV catalog on March 7, 2024 and was mass-exploited within days, with more than 1,400 servers compromised and attackers creating rogue admin accounts to deploy BianLian and Jasmin ransomware, the Spark RAT, and the XMRig cryptominer.
Comment l’éviter dans votre code
- Patch to TeamCity On-Premises 2023.11.4 or later immediately.
- Do not expose the TeamCity server to the public internet; restrict access via VPN or an allowlist.
- Audit for unexpected admin users, access tokens, and uploaded plugins, and remove any found.
- Rotate all secrets, build credentials, and tokens stored in or reachable from TeamCity.
- Run the CI service with least-privilege accounts and alert on new admin-account creation.
Références
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
- https://nvd.nist.gov/vuln/detail/CVE-2024-27198
- https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html
Vulnérabilités liées
Tout Supply chain →- CRITICALGHSA-2JQ4-Q6VV-4CP3
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
- CRITICALGHSA-HXPF-9XVQ-WPH8
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
- MEDIUMGHSA-FJV8-J4P5-CR9M
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
- MEDIUMGHSA-4JVG-4JFX-FMHC
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
- LOWGHSA-RVP7-W75Q-9FV2
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
- MEDIUMGHSA-M54H-VHF9-3W3M
BBOT: Arbitrary File Write in postman_download Module