CVE-2024-24942: 
JetBrains TeamCity vulnerability analysis and mitigation

CVE-2024-24942 is a path traversal vulnerability affecting JetBrains TeamCity versions before 2023.11.3. The vulnerability allows unauthorized users to read data within JAR archives (NVD, CVE). The vulnerability was disclosed on February 6, 2024.

The vulnerability exists in the SwaggerUI class of TeamCity's REST API implementation. The issue allows attackers to supply arbitrary paths when accessing swagger resources from an unauthenticated endpoint. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (AttackerKB).

The vulnerability allows unauthorized access to read data within JAR archives, potentially exposing sensitive information stored in these archives. The impact is limited to confidentiality with no direct effect on integrity or availability of the system (NVD).

The vulnerability has been patched in TeamCity version 2023.11.3. The fix includes implementing path validation through a helper method isValidResourcePath that detects and prevents the use of double dot notation in paths during resource access (AttackerKB).