Jetbrains Security Vulnerabilities
In JetBrains TeamCity before 2019.1.2, access could be gained to the history of builds of a deleted build configuration under some circumstances.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution.
9.8CVSS
9.7AI Score
0.013EPSS
In JetBrains TeamCity before 2019.1.4, reverse tabnabbing was possible on several pages.
4.3CVSS
4.7AI Score
0.001EPSS
In JetBrains TeamCity before 2019.1.2, secure values could be exposed to users with the "View build runtime parameters and data" permission.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains TeamCity before 2019.1.2, a non-destructive operation could be performed by a user without the corresponding permissions.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains Toolbox App before 1.15.5666 for Windows, privilege escalation was possible.
7.3CVSS
7.4AI Score
0.001EPSS
In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.
5.3CVSS
5.3AI Score
0.001EPSS
7.5CVSS
7.5AI Score
0.002EPSS
JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting.
5.4CVSS
5.4AI Score
0.001EPSS
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
6.1CVSS
6.1AI Score
0.001EPSS
In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
7.5CVSS
7.2AI Score
0.002EPSS
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has bee...
9.8CVSS
9.4AI Score
0.013EPSS
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.
9.8CVSS
9.3AI Score
0.002EPSS
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize I...
8.1CVSS
8AI Score
0.002EPSS
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
9.8CVSS
9.3AI Score
0.002EPSS
5.4CVSS
5.2AI Score
0.001EPSS
In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS.
7.5CVSS
7.5AI Score
0.002EPSS
In JetBrains TeamCity before 2019.1.4, a project administrator was able to retrieve some TeamCity server settings.
2.7CVSS
4AI Score
0.001EPSS
In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
7.5CVSS
7.6AI Score
0.002EPSS
In JetBrains TeamCity before 2019.2.1, the application state is kept alive after a user ends his session.
7.5CVSS
7.5AI Score
0.001EPSS
In JetBrains TeamCity before 2019.2.1, a user without appropriate permissions was able to import settings from the settings.kts file.
6.5CVSS
6.3AI Score
0.001EPSS
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.
9.8CVSS
9.2AI Score
0.002EPSS
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
7.5CVSS
7.5AI Score
0.001EPSS
In JetBrains YouTrack before 2020.1.659, DB export was accessible to read-only administrators.
2.7CVSS
4.1AI Score
0.001EPSS
JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could be caused by attaching a malformed TIFF file to an issue.
7.5CVSS
7.4AI Score
0.001EPSS
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.
7.5CVSS
6.9AI Score
0.003EPSS
In JetBrains Space through 2020-04-22, the session timeout period was configured improperly.
7.5CVSS
7.5AI Score
0.001EPSS
In JetBrains Space through 2020-04-22, the password authentication implementation was insecure.
9.8CVSS
9.6AI Score
0.003EPSS
In JetBrains TeamCity 2018.2 through 2019.2.1, a project administrator was able to see scrambled password parameters used in a project. The issue was resolved in 2019.2.2.
4.9CVSS
5.1AI Score
0.001EPSS
In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues.
8.8CVSS
8.8AI Score
0.001EPSS
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
5.3CVSS
5.3AI Score
0.001EPSS
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
5.3CVSS
5.3AI Score
0.001EPSS
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
6.5CVSS
6.4AI Score
0.001EPSS
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
7.3CVSS
7.2AI Score
0.001EPSS
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
7.5CVSS
7.4AI Score
0.002EPSS
In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. Fixed version is 1.4.0) there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
8.8CVSS
8.6AI Score
0.004EPSS
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.
8.8CVSS
8.6AI Score
0.001EPSS
In JetBrains TeamCity before 2020.1, users are able to assign more permissions than they have.
4.3CVSS
4.6AI Score
0.001EPSS
In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe file.
7.5CVSS
7.5AI Score
0.001EPSS
In JetBrains TeamCity before 2020.1.1, project parameter values can be retrieved by a user without appropriate permissions.
6.5CVSS
6.4AI Score
0.001EPSS
In JetBrains TeamCity before 2019.2.3, password parameters could be disclosed via build logs.
5.3CVSS
5.4AI Score
0.001EPSS
JetBrains TeamCity before 2019.2.3 is vulnerable to stored XSS in the administration UI.
6.1CVSS
5.9AI Score
0.001EPSS
JetBrains TeamCity before 2019.2.3 is vulnerable to reflected XSS in the administration UI.
6.1CVSS
5.9AI Score
0.001EPSS
Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups.
3.3CVSS
4AI Score
0.0004EPSS
In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.
6.5CVSS
6.5AI Score
0.001EPSS
JetBrains ToolBox before version 1.18 is vulnerable to a Denial of Service attack via a browser protocol handler.
7.5CVSS
7.4AI Score
0.001EPSS
JetBrains ToolBox before version 1.18 is vulnerable to Remote Code Execution via a browser protocol handler.
9.8CVSS
9.5AI Score
0.024EPSS
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
5.3CVSS
5.3AI Score
0.001EPSS
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
7.5CVSS
7.2AI Score
0.002EPSS