JetBrains Security Bulletin 2018 Q2

We have resolved a series of security issues in our products in the second quarter of 2018. Here’s a summary report that contains a description of each issue and the version in which they were resolved.

Product Description Severity Resolved in
Hub ClickJacking vulnerability (JPS-7209) Low 2017.4.8040
Hub ClickJacking vulnerability (JPS-8009) Low 2018.2.9541
IntelliJ IDEA ROBOT attack vulnerability in certain subsystems (IDEA-183912) Low 2018.1.3
Scala Possible unauthenticated access to local compile server (SCL-13584) Moderate 2018.2
TeamCity Possible privilege escalation to server administrator (TW-55209) High 2018.1
TeamCity CSRF attack vulnerability (TW-55210) High 2018.1
TeamCity Possible privilege escalation from project administrator to server administrator (TW-55211, TW-55684) High 2018.1
TeamCity Possible unauthorized removal of installation data by project administrator (TW-54876) High 2018.1
TeamCity Network access to an agent allowed potential unauthorized control over the agent (TW-49335) Moderate 2018.1
TeamCity In a very specific scenario, an attacker could steal web responses meant for other users (TW-54486) Moderate 2018.1
TeamCity Stored XSS vulnerabilities on various pages (TW-27206, TW-54129, TW-55453, TW-55215, TW-55217, TW-55353) Moderate 2018.1
TeamCity Project viewer could delete non-critical project settings (TW-55261) Moderate 2018.1
TeamCity Network access to a server allowed potential read access to project settings (TW-54870) Moderate 2018.1
TeamCity Project viewer could affect details of some running builds (TW-54975) Moderate 2018.1
TeamCity Reflected XSS vulnerabilities on various pages (TW-55212, TW-55213) Moderate 2018.1
TeamCity User self-registration might have been enabled by default on new server installation (TW-54741) Moderate 2017.2.4, 2018.1
TeamCity Possible vulnerability to ClickJacking attack from TeamCity UI (TW-33819) Moderate 2017.2.4, 2018.1
TeamCity Project viewer could bypass the “View build runtime parameters and data” permission (TW-55502) Low 2018.1
TeamCity Network access to a server exposed a vulnerability to DoS attacks (TW-11984) Low 2018.1
TeamCity Potential to pass authorization cookies without secure flags (TW-55141) Low 2018.1
Upsource Vulnerability to ClickJacking attack (UP-9673) Moderate 2018.1
Upsource Possible privilege escalation during the  configuration process (BND-1154, BND-1579, UP-7359)  Reported by Zhiyong Feng from Mobike Security Team Low 2018.1
YouTrack Stored XSS vulnerabilities from specific pages (JT-47824) High 2018.2.42881
YouTrack Potential for unauthorized users to view names of SSL keys (JT-47685) Low 2018.2.42881
YouTrack Swimlane functionality allowed unauthorized changes to a limited number of issue properties (JT-47125) Note 2018.2.42133

If you need any further assistance, please contact our Support Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

This entry was posted in News and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *