Skip to content Burger menu icon
Blog logo

Company Blog
Visit jetbrains.com
Visit jetbrains.com
News Security

JetBrains Security Bulletin 2018 Q1

Eugene Toporov
Eugene Toporov

We have resolved a series of security issues in our products within the first quarter of 2018. Below is a summary of the more important ones, including the description and the version in which they were resolved.

Product Description Severity Resolved in
dotTrace dotTrace allowed privilege escalation (PROF-668) Critical 2017.1, 2017.2, 2017.3, 2018.1

For 2017.1 and 2017.2, please apply the appropriate EtwService.msi:
dotTrace 2017.1: OS Windows x86, OS Windows x64
dotTrace 2017.2: OS Windows x86, OS Windows x64
Hub Limitation of login attempts at hub.jetbrains.com was disabled (JPS-7627) Low 2018.1.9041
Hub It was possible to obtain a new access token for a banned user (JPS-7553) Low 2017.4.8440
IntelliJ IDEA YourKit profiler port was available externally in EAP builds for Linux (IDEA-184795) Low 2018.1 (181.4203.550)
JetProfile Privilege escalation was possible for JetBrains Account activity log (JPF-7437) Moderate N/A
JetProfile Valid password links might remain upon password reset (JPF-7335) Low N/A
TeamCity VCS preview allowed XSS attack (TW-54027) Note 2017.2.3 (51047)
TeamCity Data Directory preview allowed XSS attack (TW-54021) Low 2017.2.3 (51047)
TeamCity vmWare plugin settings allowed XSS attack (TW-53984) High 2017.2.3 (51047)
TeamCity VCS settings allowed XSS attack (TW-53943, TW-53978) High 2017.2.3 (51047)
TeamCity Authentication bypass was possible with certain Windows server configuration (TW-53507) Moderate 2017.2.2 (50909)
TeamCity Project administrator could run arbitrary code (TW-50054) High 2017.2.2 (50909)
TeamCity Build fields allowed XSS attack (TW-53466) Moderate 2017.2.2 (50909)
TeamCity Multiple XSS vulnerabilities (reported by Viktor Gazdag of NCC Group) (TW-53442) High 2017.2.2 (50909)
TeamCity JavaScript injection to Azure ARM plugin settings was possible (TW-53986) Moderate N/A
Upsource Multiple XSS vulnerabilities (Reported by Viktor Gazdag of NCC Group) (UP-9606) Moderate 2017.3.2888
YouTrack RSS feed allowed unauthorized access to comments with certain configuration (JT-46375) Moderate 2018.1.40341
YouTrack REST API allowed unauthorized access to attachments of hidden comments (JT-46004) Moderate 2018.1.40341
YouTrack RSS feed allowed unauthorized access to issues list with certain configuration (JT-46159) High 2018.1.40066
YouTrack Custom fields allowed privilege escalation for guest user account (JT-46115) Moderate 2018.1.40025
YouTrack Issue linking permission bypassing was available via “Create issue linked as…” (JT-25321) Moderate 2017.4.39533
YouTrack Unauthorized access to issue content was possible even if guest user access was restricted in the bundle installer (JT-45284) Low 2017.4.39083
YouTrack Activity records for private fields were available to users with read-only permissions (JT-45282) Moderate 2017.4.39083

If you need any further assistance, please contact our Support Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

security bulletin
SpringShell Vulnerability in JetBrains Products and Services Next post

Discover more

The State of Developer Ecosystem 2022

The State of Developer Ecosystrem 2022, the sixth annual report about the software industry that we base on the responses of almost 30,000 people.

Anastassiya Sichkarenko Anastassiya Sichkarenko

Overview of the 2022.3 Versions of All JetBrains IDEs and .NET Tools

All of our IDEs and .NET tools have rolled out their last updates for this year, and we hope the latest features and improvements will not only help you take your productivity a step higher but will also make your coding more fun! Here’s an overview of the highlights of each update. IntelliJ-based IDEs First, let’s talk about a few big new features that are common to the 2022.3 versions of all our IDEs. New UI The completely reworked UI, which was announced earlier this year, is now available to all. After thorough testing, it has proved that it’s both functional and easier to w

Marina Kovaleva Marina Kovaleva

Update on JetBrains’ Statement on Ukraine

As a response to the Russian Federation's invasion of Ukraine, we announced that we would be suspending all R&D activities in Russia, as well as our sales in Russia and Belarus. It has now been approximately nine months since that announcement and we would like to provide an update.  In addition to terminating all sales, all of our offices in Russia, including Moscow, Novosibirsk, and St. Petersburg were shut down. Work on the new campus in St. Petersburg was also terminated. All R&D activities were gradually stopped and liquidation papers for our Russian legal entity were filed in

Maxim Shafirov Maxim Shafirov

Remote Development in JetBrains IDEs Now Available to Amazon CodeCatalyst Customers

We’ve partnered with Amazon to deliver an integration between Amazon CodeCatalyst and JetBrains Gateway! Amazon CodeCatalyst, which has just been announced at AWS re:Invent, is a unified software development and delivery service that includes on-demand development environments. This integration means that you can now use JetBrains Gateway to develop remotely with your favorite JetBrains IDEs running in Amazon CodeCatalyst Dev Environments. All language processing happens in the AWS Cloud, while you work locally with a feature-rich thin client. This creates a perfect blend of powerful cloud

Max Golov Max Golov