JetBrains
News
Security
JetBrains Security Bulletin Q1 2021
In the first quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Code With Me | A client could execute code in read-only mode (CWM-1235) | Medium | Compatible IDEs 2021.1 version | CVE-2021-31899 |
| Code With Me | A client could open a browser on the host (CWM-1769) | Low | Compatible IDEs 2021.1 version | CVE-2021-31900 |
| Exception Analyzer | No throttling on the Exception Analyzer login page. Reported by Ashhad Ali (EXA-760) | Low | Not applicable | Not applicable |
| IntelliJ IDEA | XXE in License server functionality. Reported by Reef Spektor (IDEA-260143) | High | 2020.3.3 | CVE-2021-30006 |
| IntelliJ IDEA | Code execution without user confirmation was possible for untrusted projects (IDEA-260911, IDEA-260912, IDEA-260913, IDEA-261846, IDEA-261851, IDEA-262917, IDEA-263981, IDEA-264782) | Medium | 2020.3.3 | CVE-2021-29263 |
| IntelliJ IDEA | Possible DoS. Reported by Arun Malik (IDEA-261832) | Medium | 2021.1 | CVE-2021-30504 |
| JetBrains Academy | Potential takeover of a future account with a known email address. Reported by Vansh Devgan (JBA-110) | Low | Not applicable | Not applicable |
| JetBrains Account | Sensitive account URLs were shared with third parties. Reported by Vikram Naidu (JPF-11338) | High | 2021.02 | Not applicable |
| JetBrains Websites | Reflected XSS at blog.jetbrains.com. Reported by Peter Af Geijerstam and Jai Kumar (JS-14554, JS-14562) | Low | Not applicable | Not applicable |
| Hub | Two-factor authentication wasn’t enabled properly for the “All Users” group (JPS-10694) | Low | 2021.1.13079 | CVE-2021-31901 |
| YouTrack | Stored XSS via attached file. Reported by Mikhail Klyuchnikov (JT-62530) | Medium | 2020.6.6441 | CVE-2021-27733 |
| YouTrack | Pull request title was insufficiently sanitized (JT-62556) | Medium | 2021.1.9819 | CVE-2021-31903 |
| YouTrack | Improper access control while exporting issues (JT-62649) | High | 2020.6.6600 | CVE-2021-31902 |
| YouTrack | Information disclosure in issue preview. Reported by Philip Wedemann (JT-62919) | High | 2020.6.8801 | CVE-2021-31905 |
| PyCharm | Code execution without user confirmation was possible for untrusted projects. Reported by Tony Torralba (PY-41524) | Medium | 2020.3.4 | CVE-2021-30005 |
| Space | Insufficient CRLF sanitization in user input (SPACE-13955) | Low | Not applicable | Not applicable |
| TeamCity Cloud | Potential information disclosure via EC2 instance metadata (TCC-174, TCC-176) | Low | Not applicable | Not applicable |
| TeamCity Cloud | Temporary credentials disclosure via command injection. Reported by Chris Moore (TCC-196) | Major | Not applicable | Not applicable |
| TeamCity | Potential XSS on the test history page (TW-67710) | Medium | 2020.2.2 | CVE-2021-31904 |
| TeamCity | TeamCity IntelliJ Plugin DOS. Reported by Jonathan Leitschuh (TW-69070) | Low | 2020.2.2 | CVE-2021-26310 |
| TeamCity | Local information disclosure via a temporary file in the TeamCity IntelliJ Plugin. Reported by Jonathan Leitschuh (TW-69420) | Low | 2020.2.2 | CVE-2021-26309 |
| YouTrack | Insufficient audit when an administrator uploads a file (TW-69511) | Low | 2020.2.2 | CVE-2021-31906 |
| TeamCity | Improper permission checks for changing TeamCity plugins (TW-69521) | Low | 2020.2.2 | CVE-2021-31907 |
| TeamCity | Potential XSS on the test page. Reported by Stephen Patches (TW-69737) | Low | 2020.2.2 | CVE-2021-3315 |
| TeamCity | Argument injection leading to RCE (TW-70054) | High | 2020.2.3 | CVE-2021-31909 |
| TeamCity | Stored XSS on several pages (TW-70078, TW-70348) | Medium | 2020.2.3 | CVE-2021-31908 |
| TeamCity | Information disclosure via SSRF (TW-70079) | High | 2020.2.3 | CVE-2021-31910 |
| TeamCity | Reflected XSS on several pages (TW-70093, TW-70094, TW-70095, TW-70096, TW-70137) | Medium | 2020.2.3 | CVE-2021-31911 |
| TeamCity | Potential account takeover during password reset (TW-70303) | Medium | 2020.2.3 | CVE-2021-31912 |
| TeamCity | Insufficient checks of the redirect_uri during GitHub SSO token exchange (TW-70358) | Low | 2020.2.3 | CVE-2021-31913 |
| TeamCity | Arbitrary code execution on TeamCity Server running on Windows. Reported by Chris Moore (TW-70512) | High | 2020.2.4 | CVE-2021-31914 |
| TeamCity | Command injection leading to RCE. Reported by Chris Moore (TW-70541) | High | 2020.2.4 | CVE-2021-31915 |
| Upsource | Application passwords were not revoked correctly. Reported by Thibaut Zonca (UP-10843) | High | 2020.1.1883 | CVE-2021-30482 |
| WebStorm | HTTP requests were used instead of HTTPS (WEB-49549) | Low | 2021.1 | CVE-2021-31898 |
| WebStorm | Code execution without user confirmation was possible for untrusted projects (WEB-49689, WEB-49902) | Low | 2021.1 | CVE-2021-31897 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
