JetBrains
News
Security
JetBrains Security Bulletin Q4 2020
In the fourth quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Code With Me | An attacker in the local network knowing the session ID could get access to the encrypted traffic. Reported by Grigorii Liullin (CWM-1067) | Low | 2020.3 | CVE-2021-25755 |
| Datalore | Server components versions were disclosed (DL-8327, DL-8335) | Low | Not applicable | CWE-200 |
| Exception Analyzer | Information disclosure via the Exception Analyzer (SDP-1248) | Low | Not applicable | CWE-200 |
| IntelliJ IDEA | HTTP links were used for several remote repositories (IDEA-228726) | Low | 2020.2 | CVE-2021-25756 |
| IntelliJ IDEA | Potentially insecure deserialization of the workspace model (IDEA-253582) | Low | 2020.3 | CVE-2021-25758 |
| JetBrains Account | Authorization token was sent as a query parameter within Zendesk integration (JPF-10508) | Low | 2020.11 | CWE-598 |
| JetBrains Account | Open-redirect was possible (JPF-10660) | Low | 2020.10 | CWE-601 |
| JetBrains Websites | Cross-origin resource sharing was possible. Reported by Ashhad Ali (SDP-1193) | Low | Not applicable | CWE-942 |
| JetBrains Websites | Throttling was not used for a particular endpoint. Reported by Ashhad Ali (SDP-1197) | Low | Not applicable | CWE-799 |
| JetBrains Websites | Clickjacking was possible. Reported by Ashhad Ali (SDP-1203) | Low | Not applicable | CWE-1021 |
| Hub | Open-redirect was possible. Reported by Mohammed Amine El Attar (JPS-10348) | Medium | 2020.1.12629 | CVE-2021-25757 |
| Hub | An authorized user could delete the 2FA settings of any other user (JPS-10410) | Medium | 2020.1.12629 | CVE-2021-25759 |
| Hub | Information disclosure via public API (JPS-10481) | Low | 2020.1.12669 | CVE-2021-25760 |
| Kotlin | A vulnerable Java API was used for creating temporary files and folders, which could make temporary files available for other users of a system. Reported by Jonathan Leitschuh (KT-42181) | Low | 1.4.21 | CVE-2020-29582 |
| Ktor | Birthday attack on SessionStorage key was possible. Reported by Kenta Koyama (KTOR-878) | Low | 1.5.0 | CVE-2021-25761 |
| Ktor | Weak cipher suites were enabled by default. Reported by Johannes Ulfkjær Jensen (KTOR-895) | Low | 1.4.2 | CVE-2021-25763 |
| Ktor | HTTP Request Smuggling was possible. Reported by ZeddYu Lu, Kaiwen Shen, and Yaru Yang (KTOR-1116) | Low | 1.4.3 | CVE-2021-25762 |
| PhpStorm | Source code could be added to debug logs (WI-54619) | Low | 2020.3 | CVE-2021-25764 |
| YouTrack | CSRF via attachment upload. Reported by Yurii Sanin (JT-58157) | Medium | 2020.4.4701 | CVE-2021-25765 |
| YouTrack | Users enumeration via the REST API without the appropriate permissions (JT-59396, JT-59498) | Low | 2020.4.4701 | CVE-2020-25208 |
| YouTrack | Improper resource access checks (JT-59397) | Low | 2020.4.4701 | CVE-2021-25766 |
| YouTrack | Issue’s existence disclosure via the YouTrack command execution (JT-59663) | Low | 2020.6.1767 | CVE-2021-25767 |
| YouTrack | Improper permissions checks for attachment actions (JT-59900) | Low | 2020.4.4701 | CVE-2021-25768 |
| YouTrack | Improper permissions checks for attachment actions (JT-59900) | Low | 2020.4.4701 | CVE-2021-25768 |
| YouTrack | YouTrack admin wasn’t able to access attachments (JT-60824) | Low | 2020.4.6808 | CVE-2021-25769 |
| YouTrack | Server-side template injection in YouTrack InCloud. Reported by Vasily Vasilkov (JT-61449) | High | 2020.5.3123 | CVE-2021-25770 |
| YouTrack | Project information disclosure (JT-61566) | Low | 2020.6.1099 | CVE-2021-25771 |
| Space | Potential information disclosure via logs (SPACE-9343, SPACE-10969) | Low | Not applicable | CWE-532 |
| Space | An attacker could obtain limited information via SSRF while testing the connection to a mirrored repository (SPACE-9514) | High | Not applicable | CWE-918 |
| Space | Content-Type header wasn’t set for some pages (SPACE-12004) | Low | Not applicable | CWE-531 |
| Space | A REST API endpoint was available without an appropriate permissions check, which could introduce a potential DOS vector (no real exploit available). (SPACE-12288) | Low | Not applicable | CWE-732 |
| TeamCity | Reflected XSS on several pages (TW-67424, TW-68098) | Medium | 2020.2 | CVE-2021-25773 |
| TeamCity | TeamCity server DoS was possible via server integration (TW-68406, TW-68780) | Low | 2020.2 | CVE-2021-25772 |
| TeamCity | ECR token exposure in the build’s parameters (TW-68515) | Medium | 2020.2 | CVE-2021-25776 |
| TeamCity | A user could get access to the GitHub access token of another user (TW-68646) | Low | 2020.2.1 | CVE-2021-25774 |
| TeamCity | Server admin could create and see access tokens for any other users (TW-68862) | Low | 2020.2.1 | CVE-2021-25775 |
| TeamCity | Improper permissions checks during user deletion (TW-68864) | Low | 2020.2.1 | CVE-2021-25778 |
| TeamCity | Improper permissions checks during tokens removal (TW-68871) | Low | 2020.2.1 | CVE-2021-25777 |
| TeamCity | TeamCity Plugin SSRF. Vulnerability that could potentially expose user credentials. Reported by Jonathan Leitschuh (TW-69068) | High | 2020.2.85695 | CVE-2020-35667 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
