CVE-2024-24940: 
JetBrains IntelliJ IDEA vulnerability analysis and mitigation

A path traversal vulnerability was discovered in JetBrains IntelliJ IDEA versions before 2023.3.3, identified as CVE-2024-24940. The vulnerability specifically affects the archive unpacking functionality of the software. This security issue was disclosed and tracked by JetBrains s.r.o. as the assigning CNA (CVE Numbering Authority) (NVD, CVE).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) by NIST and CWE-23 (Relative Path Traversal) by JetBrains. According to the CVSS v3.1 scoring, there are two different assessments: NIST rates it as MEDIUM with a base score of 4.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), while JetBrains rates it as LOW with a base score of 2.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) (NVD).

The vulnerability could potentially allow an attacker to access files outside of the intended directory structure when the application is unpacking archives. Based on the CVSS scores, the primary impact is related to confidentiality and integrity concerns, with no direct impact on system availability (NVD).

The vulnerability has been fixed in IntelliJ IDEA version 2023.3.3. Users are advised to upgrade to this version or later to mitigate the security risk (JetBrains Advisory).