Detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) in Splunk
Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.
MITRE ATT&CK
SPL Detection Query
index=web OR index=proxy OR index=waf sourcetype IN ("iis", "apache:access", "nginx:plus:kv", "pan:traffic", "f5:bigip:ltm:access")
| rex field=uri_path "(?i)(?<traversal_raw>(?:%2e%2e|%252e%252e|\.\.)(?:%2f|%252f|/))"
| rex field=cs_uri_stem "(?i)(?<traversal_raw2>(?:%2e%2e|%252e%252e|\.\.)(?:%2f|%252f|/))"
| eval has_traversal=if(isnotnull(traversal_raw) OR isnotnull(traversal_raw2), 1, 0)
| where has_traversal=1
| eval full_path=coalesce(uri_path, cs_uri_stem, url, c_uri)
| where match(full_path, "(?i)/(?:res|update|icons|plugins)/")
| eval decoded_path=replace(replace(replace(full_path, "%252e", "."), "%2e", "."), "%2f", "/")
| where match(decoded_path, "(?i)(?:\.\./)+(?:WEB-INF|admin|config|internal|server\.xml|web\.xml)")
| stats count AS request_count, dc(full_path) AS unique_paths, values(full_path) AS paths, values(status) AS response_codes BY src_ip, dest_host, _time span=5m
| where request_count >= 3
| eval severity=case(request_count >= 20, "critical", request_count >= 10, "high", 1==1, "medium")
| table _time, src_ip, dest_host, request_count, unique_paths, paths, response_codes, severity
| sort -request_countDetects path traversal exploitation attempts against JetBrains TeamCity by analyzing web access logs for encoded dot-dot sequences targeting TeamCity-specific URL prefixes. Aggregates by source IP over 5-minute windows to identify scanning behavior.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authenticated vulnerability scanners (Qualys, Tenable) running web application scans against TeamCity
- Authorized red team operations with approved scope covering the TeamCity URL space
- Misconfigured load balancers that mangle URL-encoded characters during proxy forwarding
- Development/staging environments where teams test path handling without production hardening
Other platforms for CVE-2024-27199
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1TeamCity Path Traversal to WEB-INF via Encoded Dots
Expected signal: HTTP GET request to /res/..%2f..%2f..%2fWEB-INF/web.xml logged in web server access logs with the attacker's IP. Response code 200 if vulnerable, 400/404 if patched or blocked.
- Test 2TeamCity Path Traversal via Double-Encoded Sequences
Expected signal: HTTP request containing %252f in URL path to TeamCity /update/ endpoint visible in web access logs.
- Test 3Automated Traversal Scan Simulation (Multiple Paths)
Expected signal: Five HTTP GET requests from the same source IP to /res/ URL paths containing %2f traversal sequences within a 10-second window, visible in web server access logs.
- Test 4Chain CVE-2024-27199 with Admin Configuration Read
Expected signal: HTTP GET to /icons/ endpoint with traversal sequence targeting conf/database.properties. HTTP 200 response body containing JDBC connection string indicates successful exploitation.
Unlock Pro Content
Get the full detection package for CVE-2024-27199 including response playbook, investigation guide, and atomic red team tests.