-
Notifications
You must be signed in to change notification settings - Fork 15
/
path_traversal_attacks_CVE_2024_27199.yml
39 lines (38 loc) · 1.63 KB
/
path_traversal_attacks_CVE_2024_27199.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
title: Detection of Path Traversal Attacks on JetBrains TeamCity CVE-2024-27199
id: 8f0b1ced-5409-4d49-9d8a-d27bebbe7050
status: experimental
description: Detects potential path traversal attacks exploiting specific vulnerable paths to access sensitive endpoints without authentication.
references:
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
author: Christiaan Beek @ Rapid7 Labs
date: 2024-03-04
logsource:
category: webserver/proxy
detection:
detection:
section1:
c-uri|contains:
- '/res/../'
- '/update/../'
- '/.well-known/acme-challenge/../'
section2:
c-uri|contains:
- '/admin/diagnostic.jsp'
- '/app/availableRunners'
- '/app/https/settings/setPort'
- '/app/https/settings/certificateInfo'
- '/app/https/settings/defaultHttpsPort'
- '/app/https/settings/fetchFromAcme'
- '/app/https/settings/removeCertificate'
- '/app/https/settings/uploadCertificate'
- '/app/https/settings/termsOfService'
- '/app/https/settings/triggerAcmeChallenge'
- '/app/https/settings/cancelAcmeChallenge'
- '/app/https/settings/getAcmeOrder'
- '/app/https/settings/setRedirectStrategy'
- '/app/pipeline'
- '/app/oauth/space/createBuild.html'
condition: section1 and section2
falsepositives:
- Legitimate administrative access to the vulnerable endpoints (ensure proper whitelisting or contextual analysis)
level: high