CVE-2024-27199

Modified

Published: 04 Mar 2024, 17:21

Last modified:21 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)

high

56/100

CVSS Score

7.3 HIGH

v3.1 (cve.org)

EPSS Score

82.47% CRITICAL

82% probability -12.02%

KEV

Listed

CISA

1 listing

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

04 Mar 2024, 17:21

Published

Vulnerability first disclosed

20 Apr 2026, 00:00

Added to CISA KEV

JetBrains TeamCity Relative Path Traversal Vulnerability

21 Apr 2026, 03:55

Last Modified

Vulnerability information updated

04 May 2026, 00:00

CISA Remediation Due

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

CVSS Metrics

v3.1•HIGH•Score: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Trends

Current EPSS score: 82.47%• Percentile: 99%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-23•Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Affected Systems

jetbrains•teamcity
< 2023.11.4