JetBrains Security Bulletin Q3 2018

Posted on by Robert Demmer

We have resolved a series of security issues in our products in the third quarter of 2018. Here’s a summary report that contains a description of each issue and the version in which they were resolved.

Product Description Severity Resolved in
dotPeek, ReSharper Remote Code Execution was possible while operating specific files (DOTP-7635) High 2018.1.4
Hub Hub stored license information in log files (JPS-9187) Low 2018.2.10527
IntelliJ IDEA Insecure connection used to access JetBrains resources (IDEA-187601, IDEA-192440) Moderate 2018.1.5
IntelliJ IDEA, Rider Incorrect handling of user input in ZIP extraction (IDEA-191679, IDEA-191680, IDEA-193358) High 2018.2
JetBrains Account A few customer profiles were made available without authorization (JPF-8211) Moderate N/A
JetBrains Account It was possible to obtain customer business email from order reference (JPF-7903) Moderate N/A
Plugin Marketplace XXE vulnerability (MP-1708) Low N/A
Plugin Marketplace Incorrect handling of user input in ZIP extraction (MP-1678) Moderate N/A
ReSharper Incorrect handling of user input in ZIP extraction (RSRP-470115) High 2018.1.3
TeamCity CSRF Vulnerability (RSRP-470115) Moderate 2018.1.1
TeamCity Change of project settings can corrupt settings of other projects (TW-55704) Low 2018.1.1
TeamCity Possible privilege escalation while viewing agent details (TW-56025) Moderate 2018.1.1
TeamCity Possible unvalidated redirect (TW-56085) Moderate 2018.1.2
TeamCity Reflected XSS vulnerabilities (TW-56490, TW-56375, TW-56374) Moderate 2018.1.2
TeamCity Stored XSS vulnerabilities (TW-56830, TW-56719) Moderate 2018.1.3
TeamCity Stored XSS vulnerabilities (TW-55214, TW-56126, TW-56127, TW-56452, TW-56571) Moderate 2018.1.2
YouTrack Reflected XSS vulnerability (JT-48606) Moderate 2018.2.45073
YouTrack Possible privilege escalation via deprecated REST API (JT-48605) Low 2018.2.45073
YouTrack Possible tabnabbing via issue content (JT-47993) Low 2018.2.44329

If you need any further assistance, please contact our Support Engineers.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop