CVE-2024-27199
Published: 04 March 2024
Summary
CVE-2024-27199 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Jetbrains Teamcity. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-27199 is a path traversal vulnerability, tracked under CWE-23 and CWE-22, that affects JetBrains TeamCity versions prior to 2023.11.4. The flaw permits unauthorized access to perform a limited set of administrative actions on the server. It carries a CVSS 3.1 base score of 7.3, reflecting network attack vector, low complexity, and no required authentication or user interaction.
Unauthenticated remote attackers can exploit the issue over the network to conduct limited administrative operations that would normally require elevated privileges. Successful exploitation can lead to partial compromise of confidentiality, integrity, and availability within the TeamCity instance.
JetBrains has addressed the vulnerability in TeamCity 2023.11.4 and later releases, as documented on its official security issues page. Administrators are advised to apply the available updates promptly to eliminate the path traversal vector.
Public reporting indicates active mass exploitation of the flaw in the wild, with threat actors creating rogue administrative accounts. The associated EPSS score has reached a peak of 0.9449 and currently stands at 0.9093, while proof-of-concept code has been published on GitHub.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24438
Vulnerability details
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authenticated access to administrative functions, blocking the path-traversal bypass that lets unauthenticated attackers perform restricted TeamCity actions.
Requires validation and sanitization of user-supplied file paths, directly mitigating the CWE-22/23 traversal that enables the limited-admin actions.
Mandates timely application of the vendor patch (TeamCity 2023.11.4) that eliminates the path-traversal flaw being actively exploited in the wild.