FYI
News
Security
JetBrains Security Bulletin Q2 2020
In the second quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Datalore | Stack trace disclosure. (DL-7350) | Low | Not applicable | CWE-536 |
| Datalore | Reverse tabnabbing was possible. (DL-7708) | Low | Not applicable | CWE-1022 |
| JetBrains Account | Throttling for reset password functionality was missing if 2FA was enabled. Reported by Manu Pranav. (JPF-10527) | Medium | 2020.06 | CWE-799 |
| JetBrains Website | Stack trace disclosure in case of an incorrect character in request. (JS-12490) | Low | Not applicable | CWE-536 |
| JetBrains Website | Reflected XSS on jetbrains.com subdomain. Reported by Ritik Chaddha. (JS-12562) | Low | Not applicable | CWE-79 |
| JetBrains Website | Open-redirect issues on kotlinconf.com. Reported by Ritik Chaddha. (JS-12581) | Low | Not applicable | CWE-601 |
| JetBrains Website | Clickjacking was possible on a non-existent page. Reported by Pravas Ranjan Kanungo. (JS-12835) | Low | Not applicable | CWE-1021 |
| YouTrack | Subtasks workflow could disclose the existence of an issue. (JT-45316) | Low | 2020.2.8527 | CVE-2020-15818 |
| YouTrack | An external user could execute commands against arbitrary issues. (JT-56848) | High | 2020.1.1331 | CVE-2020-15817 |
| YouTrack | SSRF vulnerability that allowed scanning internal ports. Reported by Evren Yalçın. (JT-56917) | Low | 2020.2.10643 | CVE-2020-15819 |
| YouTrack | It was possible to change a redirect from any existing YouTrack InCloud instance to another instance. (JT-57036) | Medium | 2020.1.3588 | CWE-601 |
| YouTrack | The markdown parser could disclose the existence of a hidden file. (JT-57235) | Low | 2020.2.6881 | CVE-2020-15820 |
| YouTrack | A user without the appropriate permissions could create an article draft. (JT-57649) | Medium | 2020.2.6881 | CVE-2020-15821 |
| YouTrack | The AWS metadata of a YouTrack InCloud instance was disclosed via SSRF in a workflow. Reported by Yurii Sanin. (JT-57964) | High | 2020.2.8873 | CVE-2020-15823 |
| YouTrack | SSRF was possible because URL filtering could be escaped. Reported by Yurii Sanin. (JT-58204) | Low | 2020.2.10514 | CVE-2020-15822 |
| Kotlin | Script cache privilege escalation vulnerability. Reported by Henrik Tunedal. (KT-38222) | Medium | 1.4.0 | CVE-2020-15824 |
| Space | Draft title was disclosed to a user without access to the draft. (SPACE-5594) | Low | Not applicable | CWE-200 |
| Space | A missing authorization check caused privilege escalation. Reported by Callum Carney. (SPACE-8034) | High | Not applicable | CWE-266 |
| Space | Blind SSRF via calendar import. Reported by Yurii Sanin. (SPACE-8273) | Medium | Not applicable | CWE-918 |
| Space | Drafts of direct messages sent from the iOS app could be sent to the channel. (SPACE-8377) | Low | Not applicable | CWE-200 |
| Space | Chat messages were propagated to the browser console. (SPACE-8386) | High | Not applicable | CWE-215 |
| Space | Missing authentication checks in Space Automation. (SPACE-8431) | Critical | Not applicable | CWE-306 |
| Space | Missing authentication checks in Job-related API. (SPACE-8822) | Low | Not applicable | CWE-306 |
| Space | Incorrect checks of public key content. (SPACE-9169) | Medium | Not applicable | CWE-287 |
| Space | Stored XSS via repository resource. (SPACE-9277) | High | Not applicable | CWE-79 |
| Toolbox App | Missing signature on “jetbrains-toolbox.exe”. (TBX-4671) | Low | 1.17.6856 | CVE-2020-15827 |
| TeamCity | Users were able to assign more permissions than they had. (TW-36158) | Low | 2020.1 | CVE-2020-15826 |
| TeamCity | Users with the “Modify group” permission could elevate other users’ privileges. (TW-58858) | Medium | 2020.1 | CVE-2020-15825 |
| TeamCity | Password parameters could be disclosed via build logs. (TW-64484) | Low | 2019.2.3 | CVE-2020-15829 |
| TeamCity | Project parameter values could be retrieved by a user without the appropriate permissions. (TW-64587) | High | 2020.1.1 | CVE-2020-15828 |
| TeamCity | Reflected XSS on administration UI. (TW-64668) | High | 2019.2.3 | CVE-2020-15831 |
| TeamCity | Stored XSS on administration UI. (TW-64699) | High | 2019.2.3 | CVE-2020-15830 |
| Upsource | Unauthorized access was possible through an error in accounts linking. (SDP-940) | Low | 2020.1 | CVE-2019-19704 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
