JetBrains Security Bulletin 2018 Q2

Posted on by Robert Demmer

We have resolved a series of security issues in our products in the second quarter of 2018. Here’s a summary report that contains a description of each issue and the version in which they were resolved.

Product Description Severity Resolved in
Hub ClickJacking vulnerability (JPS-7209) Low 2017.4.8040
Hub ClickJacking vulnerability (JPS-8009) Low 2018.2.9541
IntelliJ IDEA ROBOT attack vulnerability in certain subsystems (IDEA-183912) Low 2018.1.3
Scala Possible unauthenticated access to local compile server (SCL-13584) Moderate 2018.2
TeamCity Possible privilege escalation to server administrator (TW-55209) High 2018.1
TeamCity CSRF attack vulnerability (TW-55210) High 2018.1
TeamCity Possible privilege escalation from project administrator to server administrator (TW-55211, TW-55684) High 2018.1
TeamCity Possible unauthorized removal of installation data by project administrator (TW-54876) High 2018.1
TeamCity Network access to an agent allowed potential unauthorized control over the agent (TW-49335) Moderate 2018.1
TeamCity In a very specific scenario, an attacker could steal web responses meant for other users (TW-54486) Moderate 2018.1
TeamCity Stored XSS vulnerabilities on various pages (TW-27206, TW-54129, TW-55453, TW-55215, TW-55217, TW-55353) Moderate 2018.1
TeamCity Project viewer could delete non-critical project settings (TW-55261) Moderate 2018.1
TeamCity Network access to a server allowed potential read access to project settings (TW-54870) Moderate 2018.1
TeamCity Project viewer could affect details of some running builds (TW-54975) Moderate 2018.1
TeamCity Reflected XSS vulnerabilities on various pages (TW-55212, TW-55213) Moderate 2018.1
TeamCity User self-registration might have been enabled by default on new server installation (TW-54741) Moderate 2017.2.4, 2018.1
TeamCity Possible vulnerability to ClickJacking attack from TeamCity UI (TW-33819) Moderate 2017.2.4, 2018.1
TeamCity Project viewer could bypass the “View build runtime parameters and data” permission (TW-55502) Low 2018.1
TeamCity Network access to a server exposed a vulnerability to DoS attacks (TW-11984) Low 2018.1
TeamCity Potential to pass authorization cookies without secure flags (TW-55141) Low 2018.1
Upsource Vulnerability to ClickJacking attack (UP-9673) Moderate 2018.1
Upsource Possible privilege escalation during the  configuration process (BND-1154, BND-1579, UP-7359)  Reported by Zhiyong Feng from Mobike Security Team Low 2018.1
YouTrack Stored XSS vulnerabilities from specific pages (JT-47824) High 2018.2.42881
YouTrack Potential for unauthorized users to view names of SSL keys (JT-47685) Low 2018.2.42881
YouTrack Swimlane functionality allowed unauthorized changes to a limited number of issue properties (JT-47125) Note 2018.2.42133

If you need any further assistance, please contact our Support Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop