JetBrains TeamCity, one of the most popular CI/CD platforms, was found to contain a critical authentication bypass vulnerability (CVE-2024-27198, CVSS 9.8) that allows unauthenticated attackers to create administrator accounts and gain complete control over the build server.
Root Cause: Alternative Path Authentication Bypass
The vulnerability exists in TeamCity's web server implementation, specifically in how it processes HTTP requests. By crafting a request to a specific endpoint with a manipulated path, an attacker can bypass all authentication checks and access administrative API endpoints directly. The root cause is an inconsistency between the path matching logic in the authentication filter and the request routing layer.
This is a textbook example of an "alternative path" vulnerability: the application has proper authentication controls, but an alternative way to reach the protected functionality circumvents them entirely.
Exploitation and CI/CD Impact
Exploitation is trivially simple. An attacker sends a single HTTP request to create a new admin user, then logs in to access the full TeamCity administration interface. From there, the impact cascades dramatically: access to all build configurations, environment variables (often containing secrets), build artifacts, and the ability to modify build pipelines.
For organizations using TeamCity to build and deploy software, this means an attacker could inject malicious code into build processes, steal signing keys and deployment credentials, or plant backdoors in released software, achieving a supply chain compromise at scale.
Remediation
JetBrains released patches promptly. Organizations should update to TeamCity 2023.11.4 or later. Additionally, audit all build configurations for unexpected changes, rotate any secrets that were stored in TeamCity, and review build logs for unauthorized pipeline modifications. Strobes customers can use our CI/CD security assessment module to verify their TeamCity instances are not exposed.