CVE-2024-47161: 
JetBrains TeamCity vulnerability analysis and mitigation

A security vulnerability (CVE-2024-47161) was identified in JetBrains TeamCity versions before 2024.07.3. The vulnerability involves password exposure through the Sonar runner REST API. This issue was discovered and reported by JetBrains s.r.o., with the initial disclosure made on October 8, 2024 (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges. JetBrains' own assessment assigned a lower CVSS score of 4.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) (NVD CVE).

The vulnerability allows exposure of passwords through the Sonar runner REST API, potentially compromising sensitive authentication credentials. This could lead to unauthorized access to affected TeamCity installations and their associated resources (NVD CVE).

The vulnerability has been patched in TeamCity version 2024.07.3. Users are advised to upgrade to this version or later to address the security issue (JetBrains Advisory).