Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-31136

CVE-2024-31136: JetBrains TeamCity Auth Bypass Vulnerability

CVE-2024-31136 is an authentication bypass vulnerability in JetBrains TeamCity that allows attackers to bypass 2FA using a special URL parameter. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-31136 Overview

CVE-2024-31136 is an authentication bypass vulnerability in JetBrains TeamCity versions before 2024.03. Attackers can bypass two-factor authentication (2FA) by supplying a specially crafted URL parameter when accessing the application. The flaw maps to [CWE-1288] (Improper Validation of Consumed Data) and affects the confidentiality and integrity of TeamCity instances exposed over the network. Successful exploitation allows an attacker who possesses valid primary credentials to skip the secondary authentication factor and access protected resources. JetBrains addressed the issue in TeamCity 2024.03 and published the fix in their security advisory.

Critical Impact

A network-based attacker with primary credentials can bypass TeamCity 2FA by manipulating a URL parameter, gaining access to CI/CD pipelines, source code, and build artifacts.

Affected Products

  • JetBrains TeamCity versions prior to 2024.03
  • On-premises TeamCity Server installations
  • Self-hosted TeamCity deployments with 2FA enabled

Discovery Timeline

  • 2024-03-28 - CVE-2024-31136 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-31136

Vulnerability Analysis

The vulnerability resides in TeamCity's authentication flow. TeamCity enforces 2FA after a user submits valid primary credentials. A specific URL parameter, when supplied during the authentication sequence, causes the application to skip the second factor check and treat the session as fully authenticated. The flaw is a business logic and input validation failure rather than a memory safety issue. An attacker who already holds or has phished a username and password can complete login without satisfying the 2FA requirement. Because TeamCity sits at the core of software delivery pipelines, the impact extends beyond account takeover to potential supply chain compromise of any project built by the affected server. EPSS data places exploitation probability at 0.544% with a percentile of 41.3.

Root Cause

The TeamCity authentication handler fails to validate that a specific request parameter cannot be used to override the 2FA enforcement state. The parameter is honored before the 2FA challenge completes, allowing the post-authentication path to execute with only single-factor verification. This is consistent with [CWE-1288] and reflects a missing server-side check on trust boundary inputs.

Attack Vector

The attack vector is network-based and does not require user interaction. The attacker must possess valid primary credentials, which raises the attack complexity. After submitting the username and password, the attacker appends the special URL parameter to bypass the 2FA challenge. No exploit code is publicly catalogued in ExploitDB or CISA KEV at this time, and JetBrains has not reported active exploitation. Refer to the JetBrains Security Issues Fixed advisory for vendor technical details.

Detection Methods for CVE-2024-31136

Indicators of Compromise

  • Successful login events in TeamCity audit logs where 2FA challenge events are absent for users with 2FA enabled
  • HTTP requests to TeamCity authentication endpoints containing unexpected or atypical URL parameters during login
  • Authentication sessions originating from IP addresses or geolocations not previously associated with the user account

Detection Strategies

  • Correlate primary authentication success events with the presence of corresponding 2FA verification events; flag mismatches as potential bypass attempts
  • Inspect web server and reverse proxy logs for anomalous query strings on /login.html and related authentication paths
  • Hunt for administrative actions (build configuration changes, agent registration, token issuance) following sessions lacking 2FA telemetry

Monitoring Recommendations

  • Forward TeamCity authentication and audit logs to a centralized SIEM for cross-event correlation
  • Alert on logins to TeamCity from new user agents, new IPs, or outside business hours
  • Monitor for sudden creation of personal access tokens or modifications to system administrator accounts

How to Mitigate CVE-2024-31136

Immediate Actions Required

  • Upgrade TeamCity Server to version 2024.03 or later, which contains the official fix
  • Rotate all administrator passwords, personal access tokens, and API keys after patching
  • Audit recent administrative changes, build configuration edits, and agent registrations for unauthorized activity
  • Restrict network access to TeamCity Server to trusted networks or VPN until patched

Patch Information

JetBrains released a fix in TeamCity 2024.03. Apply the upgrade through standard TeamCity update channels. Review the JetBrains Security Issues Fixed page for full version guidance and any backported patches relevant to your release line.

Workarounds

  • Place TeamCity behind a reverse proxy or web application firewall configured to strip or block unexpected authentication-related URL parameters
  • Enforce IP allowlisting on the TeamCity authentication endpoints until upgrade is complete
  • Disable network exposure of the TeamCity UI to untrusted networks and require VPN access
bash
# Example: nginx rule to strip suspicious query parameters from TeamCity login
location /login.html {
    if ($args ~* "(bypass|2fa|skip)") {
        return 400;
    }
    proxy_pass http://teamcity_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.