Jetbrains Security Vulnerabilities
Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors.
6.3AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to inject arbitrary web script or HTML via the cameFromUrl parameter to feed/generateFeedUrl.html.
5.9AI Score
0.002EPSS
JetBrains TeamCity 8 and 9 before 9.0.2 allows bypass of account-creation restrictions via a crafted request because the required request data can be deduced by reading HTML and JavaScript files that are returned to the web browser after an initial unauthenticated request.
6.5CVSS
6.4AI Score
0.001EPSS
IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.
7.5CVSS
7.5AI Score
0.004EPSS
JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data.
7.8CVSS
7.8AI Score
0.001EPSS
In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The attacker could add an Issue macro to the page in Confluence, and use a combination of a valid id field and specially crafted code in the link-text-template field to execut...
9.8CVSS
9.3AI Score
0.008EPSS
JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.
8.1CVSS
7.9AI Score
0.003EPSS
JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.
8.1CVSS
7.9AI Score
0.002EPSS
JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.
8.1CVSS
7.8AI Score
0.003EPSS
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of loc...
9.8CVSS
9.4AI Score
0.014EPSS
Server metadata could be exposed because one of the error messages reflected the whole response back to the client in JetBrains TeamCity versions before 2018.2.5 and UpSource versions before 2018.2 build 1293.
5.3CVSS
5.2AI Score
0.001EPSS
In JetBrains UpSource versions before 2018.2 build 1293, there is credential disclosure via RPC commands.
9.8CVSS
9.2AI Score
0.002EPSS
JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command injection.
9.8CVSS
9.7AI Score
0.005EPSS
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
5.3CVSS
5.2AI Score
0.001EPSS
Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was fixed in TeamCity 2018.2.2.
7.5CVSS
7.5AI Score
0.001EPSS
A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.2.
6.1CVSS
5.9AI Score
0.001EPSS
A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.
6.1CVSS
6.3AI Score
0.001EPSS
A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.
6.1CVSS
6.3AI Score
0.001EPSS
The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3.
5.3CVSS
5.3AI Score
0.001EPSS
A user without the required permissions could gain access to some JetBrains TeamCity settings. The issue was fixed in TeamCity 2018.2.2.
4.3CVSS
4.7AI Score
0.001EPSS
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
7.2CVSS
7AI Score
0.001EPSS
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
9.8CVSS
9.4AI Score
0.002EPSS
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
8.8CVSS
8.6AI Score
0.001EPSS
An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
9.8CVSS
9.3AI Score
0.002EPSS
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
9.8CVSS
9.2AI Score
0.002EPSS
Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
9.8CVSS
9.5AI Score
0.002EPSS
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
6.1CVSS
5.9AI Score
0.001EPSS
JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
6.1CVSS
5.9AI Score
0.001EPSS
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
5.9CVSS
5.7AI Score
0.002EPSS
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
5.3CVSS
5.3AI Score
0.001EPSS
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
4.3CVSS
4.6AI Score
0.001EPSS
The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
5.3CVSS
5.2AI Score
0.001EPSS
JetBrains PyCharm before 2019.2 was allocating a buffer of unknown size for one of the connection processes. In a very specific situation, it could lead to a remote invocation of an OOM error message because of Uncontrolled Memory Allocation.
7.5CVSS
7.6AI Score
0.001EPSS
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection.
5.9CVSS
5.7AI Score
0.002EPSS
JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider.Unity.Editor.Plugin.Repacked.dll file.
7.8CVSS
7.5AI Score
0.0004EPSS
JetBrains Upsource before 2019.1.1412 was not properly escaping HTML tags in a code block comments, leading to XSS.
6.1CVSS
6.2AI Score
0.001EPSS
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could get access to potentially confidential server-level data. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
4.9CVSS
5AI Score
0.001EPSS
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could execute any command on the server machine. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
7.2CVSS
7.1AI Score
0.002EPSS
An issue was discovered in JetBrains TeamCity 2018.2.4. It had several XSS vulnerabilities on the settings pages. The issues were fixed in TeamCity 2019.1.
6.1CVSS
6.1AI Score
0.001EPSS
An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity server was not using some security-related HTTP headers. The issue was fixed in TeamCity 2019.1.
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1.
9.8CVSS
9.6AI Score
0.169EPSS
JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
8.8CVSS
8.6AI Score
0.001EPSS
JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere.
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in JetBrains TeamCity 2018.2.4. It had no SSL certificate validation for some external https connections. This was fixed in TeamCity 2019.1.
7.5CVSS
7.5AI Score
0.001EPSS
JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user.
6.1CVSS
6AI Score
0.001EPSS
In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.
6.1CVSS
5.9AI Score
0.001EPSS
JetBrains ReSharper installers for versions before 2019.2 had a DLL Hijacking vulnerability.
7.3CVSS
7.2AI Score
0.0004EPSS
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
5.3CVSS
5.4AI Score
0.001EPSS
JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution.
5.3CVSS
5.8AI Score
0.0004EPSS
5.3CVSS
5.2AI Score
0.001EPSS