Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jetbrainsJebrainsJETBRAINS:JETBRAINS-SECURITY-BULLETIN-Q3-2021
HistoryNov 08, 2021 - 12:00 a.m.

JetBrains Security Bulletin Q3 2021

2021-11-0800:00:00
Jebrains
blog.jetbrains.com
14

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.6 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.1%

JSON

JetBrains Security

JetBrains Security Bulletin Q3 2021

Robert Demmer

Robert Demmer

In the third quarter of 2021, we resolved a number of security issues in our products. Hereโ€™s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore Server version disclosure. Reported by Bharat (DL-9447) Low Not applicable Not applicable
Hub Information disclosure via avatar metadata (HUB-10154) Low 2021.1.13690 CVE-2021-43180
Hub Potential DOS via user information. Reported by Bharat (HUB-10804) Low 2021.1.13415 CVE-2021-43182
Hub Stored XSS. Reported by Dmitry Sherstoboev (HUB-10854) Medium 2021.1.13690 CVE-2021-43181
Hub Authentication throttling mechanism could be bypassed. Reported by Bharat (HUB-10869) Medium 2021.1.13690 CVE-2021-43183
JetBrains Account Authentication throttling mechanism could be bypassed. Reported by Bharat (JPF-11933) Medium 2021.07 Not applicable
Ktor Improper nonce verification during the OAuth2 authentication process. Reported by Ole Schilling Tjensvold (KTOR-3091) Medium 1.6.4 CVE-2021-43203
Space Authentication throttling mechanism could be bypassed. Reported by Bharat (SPACE-15282) Low Not applicable Not applicable
Space SSRF disclosing EC2 metadata (SPACE-15666) High Not applicable Not applicable
TeamCity Cloud Session takeover using an open redirect in OAuth integration. Reported by Yurii Sanin (TCC-277) High Not applicable Not applicable
TeamCity User enumeration was possible (TW-70167) Low 2021.1.2 CVE-2021-43194
TeamCity RCE in agent push functionality. Reported by Eduardo Castellanos (TW-70384) High 2021.1.2 CVE-2021-43193
TeamCity Information disclosure via the Docker Registry connection dialog (TW-70459) Medium 2021.1 CVE-2021-43196
TeamCity Some HTTP security headers were missing (TW-71376) Low 2021.1.2 CVE-2021-43195
TeamCity Email notifications could include unescaped HTML (TW-71981) Low 2021.1.2 CVE-2021-43197
TeamCity Insufficient permissions checks in create patch functionality (TW-71982) Low 2021.1.2 CVE-2021-43199
TeamCity Stored XSS (TW-72007) Low 2021.1.2 CVE-2021-43198
TeamCity Insufficient permissions checks in agent push functionality (TW-72177) Low 2021.1.2 CVE-2021-43200
TeamCity X-Frame-Options header was missing in some cases (TW-72464) Low 2021.1.3 CVE-2021-43202
TeamCity A newly created project could take settings from a deleted project (TW-72521) Medium 2021.1.3 CVE-2021-43201
YouTrack Mobile Client-side caching on iOS (YTM-12961) Low 2021.2 CVE-2021-43187
YouTrack Mobile Incomplete access tokens protection on iOS (YTM-12962, YTM-12965, YTM-12966) Low 2021.2 CVE-2021-43188
YouTrack Mobile Incomplete access tokens protection on Android (YTM-12964) Low 2021.2 CVE-2021-43189
YouTrack Mobile Task hijacking on Android (YTM-12967) Low 2021.2 CVE-2021-43190
YouTrack Mobile iOS URL scheme hijacking (YTM-12968) Low 2021.2 CVE-2021-43192
YouTrack Mobile Missing security screen on Android and iOS (YTM-12969) Low 2021.2 CVE-2021-43191
YouTrack Stored XSS (JT-63483) Low 2021.3.21051 CVE-2021-43184
YouTrack Unsafe EC2 configuration in YouTrack InCloud (JT-63693, JT-63695) Low Not applicable Not applicable
YouTrack Host header injection. Reported by Artem Ivanov (JT-65590) Medium 2021.3.23639 CVE-2021-43185
YouTrack Stored XSS. Reported by Artem Ivanov (JT-65749) High 2021.3.24402 CVE-2021-43186

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team_
The Drive to Develop_

security security bulletin

SpringShell Vulnerability in JetBrains Products and Services Next post

Subscribe to JetBrains Blog updates

Subscribe form

By submitting this form, I agree to the JetBrains Privacy Policy Notification icon

By submitting this form, I agree that JetBrains s.r.o. (โ€œJetBrainsโ€) may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.

Submit

Thanks, weโ€™ve got you!

image description

Affected configurations

Vulners
Node
jetbrainshubRange<2021.1.13690
OR
jetbrainshubRange<2021.1.13415
OR
jetbrainshubRange<2021.1.13690
OR
jetbrainshubRange<2021.1.13690
OR
jetbrainsscalaRange<2021.07jetbrains
OR
jetbrainsktorRange<1.6.4
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1.2
OR
jetbrainsteamcityRange<2021.1.3
OR
jetbrainsteamcityRange<2021.1.3
OR
jetbrainsyoutrack_mobileRange<2021.2
OR
jetbrainsyoutrack_mobileRange<2021.2
OR
jetbrainsyoutrack_mobileRange<2021.2
OR
jetbrainsyoutrack_mobileRange<2021.2
OR
jetbrainsyoutrack_mobileRange<2021.2
OR
jetbrainsyoutrack_mobileRange<2021.2
OR
jetbrainsyoutrackRange<2021.3.21051
OR
jetbrainsyoutrackRange<2021.3.23639
OR
jetbrainsyoutrackRange<2021.3.24402

Related

cvelist 24
cve 24
cnvd 15
nvd 24
prion 24
osv 1
cvelist
cvelist
CVE-2021-43180
2021-11-09 15:08:09
CVE-2021-43200
2021-11-09 14:43:31
CVE-2021-43189
2021-11-09 14:38:26
cve
cve
CVE-2021-43199
2021-11-09 15:15:09
CVE-2021-43181
2021-11-09 16:15:09
CVE-2021-43186
2021-11-09 15:15:09
cnvd
cnvd
JetBrains TeamCity has an unspecified vulnerability (CNVD-2022-09216)
2021-12-03 00:00:00
JetBrains TeamCity has an unspecified vulnerability (CNVD-2022-09215)
2021-12-03 00:00:00
JetBrains YouTrack has an unspecified vulnerability (CNVD-2021-91664)
2021-11-11 00:00:00
nvd
nvd
CVE-2021-43198
2021-11-09 15:15:09
CVE-2021-43199
2021-11-09 15:15:09
CVE-2021-43180
2021-11-09 16:15:09
prion
prion
Design/Logic Flaw
2021-11-09 15:15:00
Design/Logic Flaw
2021-11-09 15:15:00
Cross site scripting
2021-11-09 15:15:00
osv
osv
CVE-2021-43203
2021-11-09 15:15:10

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.6 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.1%

JSON
Related for JETBRAINS:JETBRAINS-SECURITY-BULLETIN-Q3-2021
cvelist24cve24cnvd15nvd24prion24osv1