News
Security
JetBrains Security Bulletin 2018 Q2
We have resolved a series of security issues in our products in the second quarter of 2018. Here’s a summary report that contains a description of each issue and the version in which they were resolved.
| Product | Description | Severity | Resolved in |
| Hub | ClickJacking vulnerability (JPS-7209) | Low | 2017.4.8040 |
| Hub | ClickJacking vulnerability (JPS-8009) | Low | 2018.2.9541 |
| IntelliJ IDEA | ROBOT attack vulnerability in certain subsystems (IDEA-183912) | Low | 2018.1.3 |
| Scala | Possible unauthenticated access to local compile server (SCL-13584) | Moderate | 2018.2 |
| TeamCity | Possible privilege escalation to server administrator (TW-55209) | High | 2018.1 |
| TeamCity | CSRF attack vulnerability (TW-55210) | High | 2018.1 |
| TeamCity | Possible privilege escalation from project administrator to server administrator (TW-55211, TW-55684) | High | 2018.1 |
| TeamCity | Possible unauthorized removal of installation data by project administrator (TW-54876) | High | 2018.1 |
| TeamCity | Network access to an agent allowed potential unauthorized control over the agent (TW-49335) | Moderate | 2018.1 |
| TeamCity | In a very specific scenario, an attacker could steal web responses meant for other users (TW-54486) | Moderate | 2018.1 |
| TeamCity | Stored XSS vulnerabilities on various pages (TW-27206, TW-54129, TW-55453, TW-55215, TW-55217, TW-55353) | Moderate | 2018.1 |
| TeamCity | Project viewer could delete non-critical project settings (TW-55261) | Moderate | 2018.1 |
| TeamCity | Network access to a server allowed potential read access to project settings (TW-54870) | Moderate | 2018.1 |
| TeamCity | Project viewer could affect details of some running builds (TW-54975) | Moderate | 2018.1 |
| TeamCity | Reflected XSS vulnerabilities on various pages (TW-55212, TW-55213) | Moderate | 2018.1 |
| TeamCity | User self-registration might have been enabled by default on new server installation (TW-54741) | Moderate | 2017.2.4, 2018.1 |
| TeamCity | Possible vulnerability to ClickJacking attack from TeamCity UI (TW-33819) | Moderate | 2017.2.4, 2018.1 |
| TeamCity | Project viewer could bypass the “View build runtime parameters and data” permission (TW-55502) | Low | 2018.1 |
| TeamCity | Network access to a server exposed a vulnerability to DoS attacks (TW-11984) | Low | 2018.1 |
| TeamCity | Potential to pass authorization cookies without secure flags (TW-55141) | Low | 2018.1 |
| Upsource | Vulnerability to ClickJacking attack (UP-9673) | Moderate | 2018.1 |
| Upsource | Possible privilege escalation during the configuration process (BND-1154, BND-1579, UP-7359) Reported by Zhiyong Feng from Mobike Security Team | Low | 2018.1 |
| YouTrack | Stored XSS vulnerabilities from specific pages (JT-47824) | High | 2018.2.42881 |
| YouTrack | Potential for unauthorized users to view names of SSL keys (JT-47685) | Low | 2018.2.42881 |
| YouTrack | Swimlane functionality allowed unauthorized changes to a limited number of issue properties (JT-47125) | Note | 2018.2.42133 |
If you need any further assistance, please contact our Support Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
