CVE-2024-27198 and CVE-2024-27199: Critical Security Flaws Affecting TeamCity On-Premises

In the JetBrains TeamCity On-Premises software, two new security vulnerabilities were identified that could be exploited by malefactors to seize control over the affected systems.

The vulnerabilities, assigned the identifiers CVE-2024-27198 with a CVSS severity score of 9.8 and CVE-2024-27199 with a score of 7.3, affect all versions of TeamCity On-Premises up to and including 2023.11.3.

As detailed in JetBrains’ announcement, “The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.”

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” according to a report by the specialists at Rapid7, who discovered both vulnerabilities.

CVE-2024-27199 is also related to an authentication bypass due to a Path Traversal issue, which could enable an unauthenticated attacker to replace the HTTPS certificate on the vulnerable TeamCity server with their own through the “/app/https/settings/uploadCertificate” endpoint and even alter the port number listened to by the HTTPS service.

This vulnerability could be used by an attacker to conduct a DoS (Denial of Service) attack on the TeamCity server by changing the HTTPS port number or uploading a certificate that would fail client-side verification. Furthermore, the uploaded certificate could be employed in “man-in-the-middle” attacks if clients trust this certificate.

Nonetheless, both vulnerabilities were rectified in TeamCity On-Premises version 2023.11.4, thus it is strongly recommended that all users promptly update their installations to prevent compromise. Cloud instances of TeamCity Cloud were automatically corrected for all clients.

The emergence of CVE-2024-27198 and CVE-2024-27199 follows JetBrains’ recent rectification of another critical vulnerability, identified as CVE-2024-23917 with a severity score of 9.8, which also allowed an unauthenticated attacker to gain administrative control over TeamCity servers.