JebrainsJETBRAINS:JETBRAINS-SECURITY-BULLETIN-Q2-2021JetBrains Security Bulletin Q2 2021
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.6 Medium
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.4%
JetBrains News Security
JetBrains Security Bulletin Q2 2021
In the second quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
|---|---|---|---|---|
| Datalore | Potential JWT token takeover using a redirect misconfiguration. Reported by Yurii Sanin (DL-9225, JPF-11801) | High | Not applicable | Not applicable |
| Datalore | There was no way to drop all active sessions. Reported by Bharat (DL-9247) | High | Not applicable | Not applicable |
| JetBrains Account | OTP could be used several times after a successful validation (JPF-11119) | Low | 2021.04 | Not applicable |
| JetBrains Account | Potential account takeover via OAuth integration. Reported by Bharat (JPF-11802) | High | 2021.06 | Not applicable |
| JetBrains Websites | Reflected XSS on jetbrains.com. Reported by Vasu Solanki (JS-14004) | Low | Not applicable | Not applicable |
| Hub | Potentially insufficient CSP for the Widget deployment feature (JPS-10736) | Low | 2021.1.13262 | CVE-2021-37540 |
| Hub | Account takeover was possible during password reset. Reported by PetrusViet (a member of VNG Security) (JPS-10767) | High | 2021.1.13389 | CVE-2021-36209 |
| Hub | HTML injection in the password reset email was possible. Reported by Bharat (JPS-10797) | Medium | 2021.1.13402 | CVE-2021-37541 |
| RubyMine | Code execution without user confirmation was possible for untrusted projects (RUBY-27702) | Medium | 2021.1.1 | CVE-2021-37543 |
| Space | Deprecated organization-wide package repositories were publicly visible (SPACE-14151) | High | Not applicable | Not applicable |
| TeamCity | Potential XSS (TW-61688) | High | 2020.2.3 | CVE-2021-37542 |
| TeamCity | Insecure deserialization (TW-70057, TW-70080) | High | 2020.2.4 | CVE-2021-37544 |
| TeamCity | Insufficient authentication checks for agent requests (TW-70166) | High | 2021.1.1 | CVE-2021-37545 |
| TeamCity | Insecure key generation for encrypted properties (TW-70201) | Low | 2021.1 | CVE-2021-37546 |
| TeamCity | Insufficient checks while uploading files (TW-70546) | Medium | 2020.2.4 | CVE-2021-37547 |
| TeamCity | Plain-text passwords could sometimes be stored in VCS (TW-71008) | Medium | 2021.1 | CVE-2021-37548 |
| YouTrack | Insufficient sandboxing in workflows (JT-63222, JT-63254) | Critical | 2021.1.11111 | CVE-2021-37549 |
| YouTrack | Time-unsafe comparisons were used (JT-63697) | Low | 2021.2.16363 | CVE-2021-37550 |
| YouTrack | System user passwords were hashed with SHA-256 (JT-63698) | Low | 2021.2.16363 | CVE-2021-37551 |
| YouTrack | An insecure PRNG was used (JT-63699) | Low | 2021.2.16363 | CVE-2021-37553 |
| YouTrack | Reflected XSS on the konnector service in Firefox (JT-63702) | Low | Not applicable | Not applicable |
| YouTrack | Stored XSS (JT-64564) | Medium | 2021.2.17925 | CVE-2021-37552 |
| YouTrack | Users could see boards without having the necessary permissions (JT-64634) | Low | 2021.3.21051 | CVE-2021-37554 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team_
The Drive to Develop_
bulletin security security bulletin
SpringShell Vulnerability in JetBrains Products and Services Next post
Subscribe to JetBrains Blog updates
Subscribe form
By submitting this form, I agree to the JetBrains Privacy Policy Notification icon
By submitting this form, I agree that JetBrains s.r.o. (“JetBrains”) may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.
Submit
Thanks, we’ve got you!
Affected configurations
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.6 Medium
AI Score
Confidence
High
0.014 Low
EPSS
Percentile
86.4%