JetBrains Security Bulletin 2018 Q1
We have resolved a series of security issues in our products within the first quarter of 2018. Below is a summary of the more important ones, including the description and the version in which they were resolved.
|dotTrace||dotTrace allowed privilege escalation (PROF-668)||Critical||2017.1, 2017.2, 2017.3, 2018.1|
|Hub||Limitation of login attempts at hub.jetbrains.com was disabled (JPS-7627)||Low||2018.1.9041|
|Hub||It was possible to obtain a new access token for a banned user (JPS-7553)||Low||2017.4.8440|
|IntelliJ IDEA||YourKit profiler port was available externally in EAP builds for Linux (IDEA-184795)||Low||2018.1 (181.4203.550)|
|JetProfile||Privilege escalation was possible for JetBrains Account activity log (JPF-7437)||Moderate||N/A|
|JetProfile||Valid password links might remain upon password reset (JPF-7335)||Low||N/A|
|TeamCity||VCS preview allowed XSS attack (TW-54027)||Note||2017.2.3 (51047)|
|TeamCity||Data Directory preview allowed XSS attack (TW-54021)||Low||2017.2.3 (51047)|
|TeamCity||vmWare plugin settings allowed XSS attack (TW-53984)||High||2017.2.3 (51047)|
|TeamCity||VCS settings allowed XSS attack (TW-53943, TW-53978)||High||2017.2.3 (51047)|
|TeamCity||Authentication bypass was possible with certain Windows server configuration (TW-53507)||Moderate||2017.2.2 (50909)|
|TeamCity||Project administrator could run arbitrary code (TW-50054)||High||2017.2.2 (50909)|
|TeamCity||Build fields allowed XSS attack (TW-53466)||Moderate||2017.2.2 (50909)|
|TeamCity||Multiple XSS vulnerabilities (reported by Viktor Gazdag of NCC Group) (TW-53442)||High||2017.2.2 (50909)|
|Upsource||Multiple XSS vulnerabilities (Reported by Viktor Gazdag of NCC Group) (UP-9606)||Moderate||2017.3.2888|
|YouTrack||RSS feed allowed unauthorized access to comments with certain configuration (JT-46375)||Moderate||2018.1.40341|
|YouTrack||REST API allowed unauthorized access to attachments of hidden comments (JT-46004)||Moderate||2018.1.40341|
|YouTrack||RSS feed allowed unauthorized access to issues list with certain configuration (JT-46159)||High||2018.1.40066|
|YouTrack||Custom fields allowed privilege escalation for guest user account (JT-46115)||Moderate||2018.1.40025|
|YouTrack||Issue linking permission bypassing was available via “Create issue linked as…” (JT-25321)||Moderate||2017.4.39533|
|YouTrack||Unauthorized access to issue content was possible even if guest user access was restricted in the bundle installer (JT-45284)||Low||2017.4.39083|
|YouTrack||Activity records for private fields were available to users with read-only permissions (JT-45282)||Moderate||2017.4.39083|
If you need any further assistance, please contact our Support Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to Blog updates
Thanks, we've got you!
AI Assistant Update – August 2023
AI Assistant is a major new feature of the JetBrains IDE family in the 2023.2 release, offering integration of large language models into the IDE development workflow. The AI Assistant plugin is not bundled with the IDEs and needs to be installed separately from JetBrains Marketplace. One of the pri…
Your Go-To JetBrains Coding Tools Are Ready to Be Updated to 2023.2
We’ve now released the second update of the year for our family of IDEs, including IntelliJ IDEA, WebStorm, PyCharm, DataGrip, GoLand, DataSpell, and other tools included in your All Products Pack subscription. Check out the summaries below and dive deeper to learn more about the products you’re mos…
Remote Development with Coder and JetBrains Gateway
We are pleased to announce that we have joined forces with Coder to provide integration between Coder’s self-hosted cloud development platform and JetBrains Gateway, our remote development solution.
Redocly Brings Enhanced OpenAPI Experience to JetBrains IDEs
Starting from IntelliJ IDEA 2023.2, we have joined forces with Redocly Inc., one of the industry leaders in API documentation solutions. Using Redocly technologies in IntelliJ IDEA, GoLand, PyCharm, PhpStorm, Rider, and WebStorm will help you create clean and functional API docs from which you can r…