Share
## https://sploitus.com/exploit?id=83ED1AC6-D5AF-5720-9308-11B56932D9C4
# CVE-2024-27198

### CVE-2024-27198 - Authentication Bypass Using an Alternate Path vulnerability in JetBrains TeamCity Server

- Please refer to Rapid7's blogpost for more information: [CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities](https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/)

![teamcityserverlogo](https://www.devopsschool.com/blog/wp-content/uploads/2022/04/teamcity-logo.png)

*Products and Versions affected:*


| Product  | Affected Versions |
| :--------| :---------------- |
| TeamCity Server | <= 2023.11.3|

- **CVSS:** 9.8
- **Actively Exploited:** [YES](https://www.cisa.gov/news-events/alerts/2024/03/07/cisa-adds-one-known-exploited-jetbrains-vulnerability-cve-2024-27198-catalog)
- **Patch:** YES
- **Mitigation:** YES

# Lab

You can deploy a TeamCity server with Docker to test this exploit

- Download a vulnerable TeamCity Server docker image, for this case version: 2023.11.3
```
docker pull jetbrains/teamcity-server:2023.11.3
```

- Then run the docker container

```
docker run -it -d --name teamcity -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.3
```

- Finally, go to: `http://localhost:8111` and follow the configuration instructions for your new server (just click `Proceed` and create a new admin account).

# Help

```
usage: CVE-2024-27198.py [-h] -t TARGET -u USERNAME -p PASSWORD

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target TeamCity Server URL
  -u USERNAME, --username USERNAME
                        Insert username for the new user
  -p PASSWORD, --password PASSWORD
                        Insert password for the new user
```

**Example:** 

```
python CVE-2024-27198.py -t http://localhost:8111 -u mynewadminuser -p mypassword
```


# References

- [CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)](https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/)
- [Additional Critical Security Issues Affecting TeamCity On-Premises (CVE-2024-27198 and CVE-2024-27199) โ€“ Update to 2023.11.4 Now](https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/)
- [CISA Adds One Known Exploited JetBrains Vulnerability, CVE-2024-27198, to Catalog](https://www.cisa.gov/news-events/alerts/2024/03/07/cisa-adds-one-known-exploited-jetbrains-vulnerability-cve-2024-27198-catalog)
- [GreyNoise Tag - TeamCity JetBrain CVE-2024-27198 Auth Bypass Attempt](https://viz.greynoise.io/query/tags:%22TeamCity%20JetBrain%20CVE-2024-27198%20Auth%20Bypass%20Attempt%22)