Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jetbrainsJebrainsJETBRAINS:JETBRAINS-SECURITY-BULLETIN-Q4-2021
HistoryFeb 08, 2022 - 12:00 a.m.

JetBrains Security Bulletin Q4 2021

2022-02-0800:00:00
Jebrains
blog.jetbrains.com
86

7.3 High

AI Score

Confidence

High

JSON

JetBrains Security

JetBrains Security Bulletin Q4 2021

Robert Demmer

Robert Demmer

In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore Another user’s database could be attached (DL-9779) High Not applicable Not applicable
Hub JetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958) High 2021.1.13890 CVE-2022-24327
Hub An unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976) High 2021.1.13956 CVE-2022-24328
IntelliJ IDEA Code could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917) Medium 2021.2.4 CVE-2022-24345
IntelliJ IDEA Potential LCE via RLO (Right-to-Left Override) characters (IDEA-284150) Medium 2021.3.1 CVE-2022-24346
JetBrains Blog Blind SQL injection. Reported by Khan Janny (BLOG-45) Medium Not applicable Not applicable
Kotlin No ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449) Medium 1.6.0 CVE-2022-24329
Kotlin websites Clickjacking at kotlinlang.org (KTL-588) Medium Not applicable Not applicable
Remote Development Unexpected open port on backend server. Please refer to this blog post for additional details. Reported by Damian Gwiżdż (GTW-894) High Not 2021.3.1 CVE-2021-45977
Space Missing permission check in an HTTP API response (SPACE-15991) High Not applicable Not applicable
TeamCity A redirect to an external site was possible (TW-71113) Low 2021.2.1 CVE-2022-24330
TeamCity Logout failed to remove the “Remember Me” cookie (TW-72969) Low 2021.2 CVE-2022-24332
TeamCity GitLab authentication impersonation. Reported by Christian Pedersen (TW-73375) High 2021.1.4 CVE-2022-24331
TeamCity The “Agent push” feature allowed any private key on the server to be selected (TW-73399) Low 2021.2.1 CVE-2022-24334
TeamCity Blind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465) Medium 2021.2 CVE-2022-24333
TeamCity Time-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468) High 2021.2 CVE-2022-24335
TeamCity An unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469) Medium 2021.2.1 CVE-2022-24336
TeamCity Pull-requests’ health items were shown to users without appropriate permissions (TW-73516) Low 2021.2 CVE-2022-24337
TeamCity Stored XSS. Reported by Yurii Sanin (TW-73737) Medium 2021.2.1 CVE-2022-24339
TeamCity URL injection leading to CSRF. Reported by Yurii Sanin (TW-73859) Medium 2021.2.1 CVE-2022-24342
TeamCity Changing a password failed to terminate sessions of the edited user (TW-73888) Low 2021.2.1 CVE-2022-24341
TeamCity XXE during the parsing of a configuration file (TW-73932) Medium 2021.2.1 CVE-2022-24340
TeamCity Reflected XSS (TW-74043) Medium 2021.2.1 CVE-2022-24338
TeamCity Stored XSS on the Notification templates page (JT-65752)) Low 2021.4.31698 CVE-2022-24344
YouTrack A custom logo could be set with read-only permissions (JT-66214) Low 2021.4.31698 CVE-2022-24343
YouTrack Stored XSS via project icon. Reported by Yurii Sanin (JT-67176) Medium 2021.4.36872 CVE-2022-24347

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team_
The Drive to Develop_

security security bulletin

SpringShell Vulnerability in JetBrains Products and Services Next post

Subscribe to JetBrains Blog updates

Subscribe form

By submitting this form, I agree to the JetBrains Privacy Policy Notification icon

By submitting this form, I agree that JetBrains s.r.o. (“JetBrains”) may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.

Submit

Thanks, we’ve got you!

image description

Related

prion 22
cve 22
cvelist 22
cnvd 17
githubexploit 1
ubuntucve 1
debiancve 1
ibm 10
redhatcve 1
osv 1
veracode 1
github 1
nessus 2
oracle 5
prion
prion
Server side request forgery (ssrf)
2022-02-25 15:15:00
Code injection
2022-02-25 15:15:00
Code injection
2022-02-25 15:15:00
cve
cve
CVE-2022-24335
2022-02-25 15:15:00
CVE-2021-45977
2022-02-25 15:15:00
CVE-2022-24346
2022-02-25 15:15:00
cvelist
cvelist
CVE-2022-24328
2022-02-25 14:35:00
CVE-2022-24339
2022-02-25 14:35:38
CVE-2021-45977
2022-02-25 14:36:13
cnvd
cnvd
JetBrains TeamCity Cross-Site Request Forgery Vulnerability
2022-03-01 00:00:00
JetBrains TeamCity Cross-Site Scripting Vulnerability (CNVD-2022-15943)
2022-03-01 00:00:00
JetBrains TeamCity Elevation of Privilege Vulnerability (CNVD-2022-15948)
2022-03-01 00:00:00
githubexploit
githubexploit
Exploit for Cross-Site Request Forgery (CSRF) in Jetbrains Teamcity
2022-07-02 22:04:29
ubuntucve
ubuntucve
CVE-2022-24329
2022-02-25 00:00:00
debiancve
debiancve
CVE-2022-24329
2022-02-25 15:15:00
ibm
ibm
Security Bulletin: IBM MQ Blockchain bridge is vulnerable to an issue within fabric gateway (CVE-2022-24329)
2022-09-27 13:13:18
Security Bulletin: IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JetBrains Kotlin weak security [CVE-2022-24329]
2023-08-07 06:13:48
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Kotlin
2022-04-27 14:53:48
redhatcve
redhatcve
CVE-2022-24329
2022-04-11 19:55:44
osv
osv
Improper Locking in JetBrains Kotlin
2022-02-26 00:00:43
veracode
veracode
Improper Dependency Locking
2022-10-21 12:20:51
github
github
Improper Locking in JetBrains Kotlin
2022-02-26 00:00:43
nessus
nessus
Oracle Access Manager (Apr 2024 CPU)
2024-04-19 00:00:00
Oracle Business Intelligence Publisher (OAS) (Jan 2023 CPU)
2023-01-24 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

7.3 High

AI Score

Confidence

High

JSON
Related for JETBRAINS:JETBRAINS-SECURITY-BULLETIN-Q4-2021
prion22cve22cvelist22cnvd17githubexploit1ubuntucve1debiancve1ibm10redhatcve1osv1veracode1github1nessus2oracle5