Editorial coverage · CVE-2024-27199
Two CVEs from one advisory, two KEV listing dates 25 months apart. The audit form reads them as independent rows.
The path-traversal half of JetBrains' March 2024 TeamCity advisory. CVSS 7.3, authentication-filter bypass on `/res/`, `/update/`, and `/.well-known/acme-challenge/` that resolves `../` after the prefix check passes. BianLian ransomware operators were chaining it with CVE-2024-27198 within days of disclosure. CISA added 27198 to KEV on March 7, 2024 — three days after the fix. CISA added 27199 to KEV on April 20, 2026 with a May 4 federal due date. Same advisory, same fix, same affected version range. Twenty-five months between the two KEV entries. The catalog has one row per CVE; the operational exposure window opened in March 2024 either way.
What we say
Most KEV listings are read as fresh-threat signal. The catalog lists a CVE, the deadline starts, the operator either patches inside the window or breaks the row on the audit form. The reading assumes the catalog date approximates the start of the exposure window. For most entries that approximation is close enough to be useful. For CVE-2024-27199 it is off by 25 months.
JetBrains shipped TeamCity On-Premises 2023.11.4 on March 4, 2024 against two CVEs in the same auth filter. CVE-2024-27198 (CVSS 9.8, authentication bypass, full unauthenticated admin) and CVE-2024-27199 (CVSS 7.3, path traversal that reaches 15+ admin endpoints including certificate upload and HTTPS-port reconfiguration) share an attack surface, an advisory, an affected version range, and a fix. The two bugs are reached through different bypass mechanisms; they are not the same vulnerability scored twice. They were exploited together. BianLian ransomware operators were chaining them within days of disclosure to create admin accounts, run commands under the TeamCity service account, and pivot to PowerShell when their Go-language backdoor failed.
CISA added CVE-2024-27198 to KEV on March 7, 2024 — three days after the advisory. CISA added CVE-2024-27199 to KEV on April 20, 2026, with a May 4 federal due date. Twenty-five months between two catalog listings against one advisory. The agency published no explanation for the gap. The most parsimonious read: ongoing opportunistic exploitation of the long tail of unpatched internet-facing instances, not a newly discovered technique. CISA has been adding older CVEs in batches throughout 2026. The exposure evidence for 27199 was always in the record; the catalog row was not.
The structural problem is what the second catalog row encodes for the two populations reading it. For the operator who upgraded TeamCity in March or April 2024, the May 4 deadline is closed already — the change record from two years ago names a fix version that closes both CVEs, and the audit form reads “deadline met” against both. For the operator who did not upgrade, the May 4 deadline is the first federal forcing function against a vulnerability whose exposure window opened 25 months earlier. The catalog row is identical in both cases. The audit form is identical in both cases. The operational posture is not identical, and the form has no field for the difference.
The PCI and FedRAMP narratives compound it. PCI Requirement 6.3.3 writes a one-month patch clock against the advisory date, not the KEV date — the clock has been running for two years on any unpatched host in scope. The BOD 22-01 narrative writes against the catalog date, so the May 4 deadline reads as on-time for any FCEB operator who patches this month. The same operator, the same host, the same CVE: one framework reads compliant-against-deadline and the other reads 24-months-late-against-advisory. The form fields are independent. The exposure window is not.
The narrow remediation question has one answer: TeamCity On-Premises below 2023.11.4 is vulnerable to both CVEs and has been for two years. If you upgraded in 2024 the May 4 deadline is closed. If you did not, the upgrade path is the same one JetBrains documented in March 2024 — 2023.11.4 or later, or the stand-alone security-patch plugin if the full upgrade is blocked. The wider question is what the audit infrastructure does with a catalog row whose listing date trails its advisory date by 25 months. The catalog writes one row. The change record writes one ticket. The SI-2 narrative writes one closure date. None of those carry “the bug was already public for two years.” The operator working from the row alone gets a fresh deadline; the operator working from the advisory gets the original clock. Both are reading authoritative sources. They disagree about when the window opened, and the form cannot encode the disagreement. The editorial corpus keeps arriving at this from different angles: the catalog row is not the exposure window, and the audit narrative needs a field the schemas do not have.
What NVD says
CWE-23 — relative path traversal. NVD CVSS 3.1 base 7.3, vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The score is honest about the bug taken alone: an unauthenticated request to `/res/../admin/diagnostic.jsp` passes the auth filter's prefix check (the path starts with `/res/`), the filter does not canonicalize before deciding, and the request lands on an admin endpoint after path resolution. The 15+ endpoints reachable through the traversal include certificate upload and HTTPS-port reconfiguration; severity 7.3 reads as plausible for the standalone primitive. What 7.3 does not encode is that the advisory carries CVE-2024-27198 alongside it, scored 9.8 against the same auth filter on the same product version range with the same fix. NVD scores in isolation. The two CVEs are reached through different bypass mechanisms and they enable different post-auth actions; they share an attack surface, an advisory, and a remediation. The CVSS rows are independent. The exposure window is not.
What the vendor says
JetBrains shipped TeamCity On-Premises 2023.11.4 on March 4, 2024 against both CVEs and published a stand-alone security-patch plugin compatible with 2018.1 through 2023.11.3 for operators who could not run a full version upgrade. The advisory names both CVEs and TeamCity Cloud as already patched server-side. The vendor framing pairs the two bugs as a single remediation event; the disclosure timeline — Rapid7 reported on Feb 20, JetBrains had a fix in 13 days, Rapid7 published the writeup within an hour of the CVE records going live, exploitation followed within hours — is the disclosure-window dispute that ate the operational story at the time. What the vendor advisory does not name is the catalog asymmetry that landed two years later. CISA added 27198 to KEV three days after disclosure and 27199 twenty-five months after disclosure. The operator who upgraded in March 2024 closed both. The operator who did not is the audience the late KEV listing is for.
Compliance impact
- PCI DSS
- Requirement 6.3.3's one-month patch clock for critical security patches reads against the advisory date, March 4, 2024. A change record that says 'upgraded TeamCity to 2024.x in April 2024' is compliant under either CVE. A change record with no TeamCity entry at all has been past the PCI clock for 25 months as of the second KEV listing. CI/CD servers commonly hold deployment credentials for CDE systems even when the build host itself sits outside the CDE; Requirement 1's CDE-scoping logic reads the credential connectivity as load-bearing. The QSA reading the audit narrative gets two readings on the same form: the change record that closes the advisory in 2024 and the change record that does not exist. The second KEV listing did not move the PCI clock — the advisory date did. The clock has been running for two years.
- FEDRAMP
- BOD 22-01 writes one row per KEV entry. CISA listed CVE-2024-27198 on March 7, 2024 with the standard 21-day federal due date; the agency listed CVE-2024-27199 on April 20, 2026 with a May 4 federal due date. The SI-2 narrative against the first listing closes cleanly: 'patched to 2023.11.4 within the BOD window in March 2024.' The SI-2 narrative against the second listing has the same target version, the same closure date, the same change record. The audit form reads the second row as 'deadline met' for any FCEB operator who patched in 2024 and as a fresh deadline for any operator who did not. Both readings are arithmetic-correct. Neither reading encodes the operational reality that the exposure window opened the day the patch shipped and has been continuously open on unpatched hosts since. The 800-53 CM-3 authorization step is supposed to catch long-tail exposure; in practice it catches whatever the ticket carries, and the ticket reads one CVE row at a time.
Sources
- NVD — CVE-2024-27199
- NVD — CVE-2024-27198 (advisory companion)
- JetBrains TeamCity Advisory — CVE-2024-27198 and CVE-2024-27199
- Rapid7 ETR — JetBrains TeamCity Multiple Authentication Bypass
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.