CVE-2024-27199 Sumo Logic CSE · Sumo

Detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) in Sumo Logic CSE

Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/access OR _sourceCategory=proxy/logs OR _sourceCategory=waf
| parse regex "(?<src_ip>\\d+\\.\\d+\\.\\d+\\.\\d+).*?(?:GET|POST|PUT)\\s+(?<request_path>[^\\s]+)"
| where request_path matches /(?i)\/(?:res|update|icons|plugins)\//
| where request_path matches /(?i)(?:%2e%2e|%252e%252e|\.\.\/)/
| where request_path matches /(?i)(?:WEB-INF|web\.xml|server\.xml|\/admin\/|\/config\/|internal)/
| urldecode(request_path) as decoded_path
| timeslice 5m
| stats count as request_count, dcount(request_path) as unique_paths by src_ip, _timeslice
| where request_count >= 3
| fields _timeslice, src_ip, request_count, unique_paths
| sort by request_count desc
high severity medium confidence

Sumo Logic query detecting TeamCity path traversal exploitation by parsing web access logs for encoded traversal sequences targeting restricted server paths. Aggregates over 5-minute windows per source IP.

Data Sources

Web server access logsProxy logsWAF logs

Required Tables

_sourceCategory=web/access_sourceCategory=proxy/logs

False Positives & Tuning

  • Authorized web application penetration tests against TeamCity infrastructure
  • Security scanning platforms (Tenable, Qualys) with web application scanning enabled
  • Misconfigured load balancers introducing URL encoding artifacts in forwarded headers
  • TeamCity plugin developers testing path resolution logic in development environments

Other platforms for CVE-2024-27199

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1TeamCity Path Traversal to WEB-INF via Encoded Dots

    Expected signal: HTTP GET request to /res/..%2f..%2f..%2fWEB-INF/web.xml logged in web server access logs with the attacker's IP. Response code 200 if vulnerable, 400/404 if patched or blocked.

  2. Test 2TeamCity Path Traversal via Double-Encoded Sequences

    Expected signal: HTTP request containing %252f in URL path to TeamCity /update/ endpoint visible in web access logs.

  3. Test 3Automated Traversal Scan Simulation (Multiple Paths)

    Expected signal: Five HTTP GET requests from the same source IP to /res/ URL paths containing %2f traversal sequences within a 10-second window, visible in web server access logs.

  4. Test 4Chain CVE-2024-27199 with Admin Configuration Read

    Expected signal: HTTP GET to /icons/ endpoint with traversal sequence targeting conf/database.properties. HTTP 200 response body containing JDBC connection string indicates successful exploitation.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-27199 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections