JetBrains Security Bulletin Q4 2018

We have resolved a series of security issues in our products in the fourth quarter of 2018. Here’s a report summary with descriptions of each issue and the version in which they were resolved.

Product Description Severity Resolved in
Hub, Upsource Admin account takeover of a system authorized with Hub was possible (JPS-9594) Critical 2018.3.11035
Hub, Upsource XXE was possible (JPS-9616, UP-10218 ) High 2018.4.11067
JetBrains Account Disclosure of email address within unsuccessful login attempt (JPF-8663) High 4.11
TeamCity Reflected XSS on user-level pages (TW-58065, TW-58234) High 2018.2
TeamCity Stored XSS on the build details page (TW-58129, TW-58138) High 2018.2
TeamCity Exposure of sensitive parameter value to a privileged user was possible (TW-56946) Moderate 2018.1.3
Upsource A privileged user had access to user credentials in rare case (UP-10092) Moderate 2018.2.1141
JetBrains Account
Unauthorized disclosure of YouTrack InCloud subscription information was possible (JPF-8714, JT-51001) High 2018.4.48293
YouTrack Unauthorized access to project and user details with guest user banned was possible (JT-50970, JT-49827, JT-50611, JT-50203) High 2018.3.47010
YouTrack Unauthorized access to the email address of YouTrack InCloud was possible (JT-50946) High 2018.4.48293
YouTrack Stored XSS on YouTrack issue page (JT-50201) Low 2018.3.47965

If you need any further assistance, please contact our Support Engineers.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

This entry was posted in News and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *