JebrainsJETBRAINS:JETBRAINS-SECURITY-BULLETIN-Q2-2019JetBrains Security Bulletin Q2 2019
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.2 High
AI Score
Confidence
Low
0.169 Low
EPSS
Percentile
96.1%
FYI Security
JetBrains Security Bulletin Q2 2019
This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the second quarter of 2019.
Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.
| Product | Description | Severity | Resolved in | CVE/CWE |
|---|---|---|---|---|
| Exception Analyzer | Insecure transfer of JetBrains Account credentials. (EXA-652) | Critical | Not applicable | CWE-598 |
| Hub | No way to set a password to expire automatically. (JPS-8816) | Low | 2018.4.11436 | CVE-2019-14955 |
| IntelliJ IDEA | Resolving artifacts using an http connection, potentially allowing an MITM attack. (IDEA-211231) | High | 2019.2 | CVE-2019-14954 |
| JetBrains Account | Authorized account enumeration. (JPF-9370) | Low | 2019.5 | CWE-204 |
| JetBrains Account | Cross-origin resource sharing misconfiguration (Reported by Vishnu Vardhan). (JPF-9095) | Low | 2019.5 | CWE-942 |
| JetBrains Account | No rate limitation on the account details page. (JPF-9704) | Moderate | 2019.8 | CWE-770 |
| JetBrains Account | No rate limitation on the licenses page. (JPF-9713) | High | 2019.9 | CWE-770 |
| JetBrains Account | Unauthorized disclosure of license email on the licenses page. (JPF-9692) | Critical | 2019.8 | CWE-284 |
| JetBrains Website | Reflected XSS. (JS-9853) | Moderate | Not Applicable | CWE-79 |
| Kotlin Ktor | Command injection through LDAP username. | Moderate | 1.2.0-rc, 1.2.0 | CVE-2019-12736 |
| Kotlin Ktor | Predictable Salt for user credentials. | Moderate | 1.2.0-rc2, 1.2.0 | CVE-2019-12737 |
| PyCharm | Remote call causing an “out of memory” error was possible. (PY-35251) | Low | 2019.2 | CVE-2019-14958 |
| Rider | Unsigned DLL was used in a distributive. (RIDER-27708) | Moderate | 2019.1.2 | CVE-2019-14960 |
| ReSharper | DLL hijacking vulnerability. (RSRP-473674) | High | 2019.2 | CVE-2019-16407 |
| TeamCity | Previously used unencrypted passwords were suggested by a web browser’s auto-completion. (TW-59759) | Low | 2019.1 | CWE-200 |
| TeamCity | VMWare plugin did not check SSL certificate. (TW-59562) | Moderate | 2019.1 | CVE-2019-15042 |
| TeamCity | Remote Code Execution on the server with certain network configurations. (TW-60430) | Moderate | 2019.1 | CVE-2019-15039 |
| TeamCity | Project administrator could get unauthorized access to server-level data. (TW-60220) | High | 2019.1 | CVE-2019-15035 |
| TeamCity | Project administrator could execute any command on the server machine. (TW-60219) | High | 2019.1 | CVE-2019-15036 |
| TeamCity | Security has been tightened thanks to using additional HTTP headers. (TW-59034) | High | 2019.1 | CVE-2019-15038 |
| TeamCity | Possible XSS vulnerabilities on the settings pages. (TW-59870, TW-59852, TW-59817, TW-59838, TW-59816) | High | 2019.1 | CVE-2019-15037 |
| TeamCity | XSS vulnerability. (TW-61242, TW-61315) | High | 2019.1.2 | CVE-2019-15848 |
| Toolbox App | Unencrypted connection to external resources, potentially allowed an MITM attack. (TBX-3327, ADM-30275) | Low | 1.15.5605 | CVE-2019-14959, CWE-311 |
| Upsource | Insufficient escaping of code blocks. (UP-10387) | Moderate | 2019.1.1412 | CVE-2019-14961 |
| Upsource | Credentials exposure via RPC command. (UP-10344) | Critical | 2018.2.1290 | CVE-2019-12156 |
| Upsource | Credentials exposure via RPC command. (UP-10343) | Critical | 2018.2.1293 | CVE-2019-12157 |
| Vim Plugin | Project data appeared in user level settings. (VIM-1184) | Moderate | 0.52 | CVE-2019-14957 |
| YouTrack | A user could get a list of project names under certain conditions. (JT-53162) | Low | 2019.2.53938 | CVE-2019-14956 |
| YouTrack | Stored XSS on the issue page. (JT-51077, JT-54121) | High | 2019.2.53938, 2019.2.57829 | CVE-2019-14953, CVE-2019-16171 |
| YouTrack | Stored XSS in the issues list. (JT-52894) | High | 2019.1.52584 | CVE-2019-14952 |
| YouTrack | A compromised URL was automatically whitelisted by YouTrack. (JT-47653) | Low | 2019.1.52545 | CVE-2019-15041 |
| YouTrack | Cross-Site Request Forgery. (JT-30098) | Low | 2019.1 | CVE-2019-15040 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
security bulletin
SpringShell Vulnerability in JetBrains Products and Services Next post
Subscribe to JetBrains Blog updates
Subscribe form
By submitting this form, I agree to the JetBrains Privacy Policy Notification icon
By submitting this form, I agree that JetBrains s.r.o. (“JetBrains”) may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.
Submit
Thanks, we’ve got you!
Affected configurations
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.2 High
AI Score
Confidence
Low
0.169 Low
EPSS
Percentile
96.1%