JetBrains Security Bulletin Q4 2018

Posted on by Robert Demmer

We have resolved a series of security issues in our products in the fourth quarter of 2018. Here’s a report summary with descriptions of each issue and the version in which they were resolved.

Product Description Severity Resolved in
Hub, Upsource Admin account takeover of a system authorized with Hub was possible (JPS-9594) Critical 2018.3.11035
Hub, Upsource XXE was possible (JPS-9616, UP-10218 ) High 2018.4.11067
JetBrains Account Disclosure of email address within unsuccessful login attempt (JPF-8663) High 4.11
TeamCity Reflected XSS on user-level pages (TW-58065, TW-58234) High 2018.2
TeamCity Stored XSS on the build details page (TW-58129, TW-58138) High 2018.2
TeamCity Exposure of sensitive parameter value to a privileged user was possible (TW-56946) Moderate 2018.1.3
Upsource A privileged user had access to user credentials in rare case (UP-10092) Moderate 2018.2.1141
YouTrack,
JetBrains Account
Unauthorized disclosure of YouTrack InCloud subscription information was possible (JPF-8714, JT-51001) High 2018.4.48293
YouTrack Unauthorized access to project and user details with guest user banned was possible (JT-50970, JT-49827, JT-50611, JT-50203) High 2018.3.47010
YouTrack Unauthorized access to the email address of YouTrack InCloud was possible (JT-50946) High 2018.4.48293
YouTrack Stored XSS on YouTrack issue page (JT-50201) Low 2018.3.47965

If you need any further assistance, please contact our Support Engineers.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop