FYI
Security
JetBrains Security Bulletin Q1 2019
This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the first quarter of 2019.
These include issues reported by Jonathan Leitschuh potentially exposing a product user or a project’s infrastructure to man-in-the-middle attacks, namely
- resolving Gradle, Maven, and sbt project artifacts over an unencrypted connection in various projects; and
- generating project templates in an IDE causing the above-mentioned issue in a user’s project.
We’ve also run extended verification of the secret storage mechanism in our IDEs’ settings, and identified and fixed several cases of cleartext secret storage.
Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.
| Product | Description | Severity | Resolved in | CVE/CWE |
| CLion | The suggested WSL configuration exposed a local SSH server to the internal network (CPP-15063) | Moderate | No fix versions | CWE-276 |
| Documentation | JetBrains GitHub repositories had a world-editable wiki.(DOC-6532) Reported by Bogdan Gagea | Moderate | No fix versions | CWE-732 |
| Hub | A user password could appear in the audit events for certain server settings (JPS-7895) | High | 2018.4.11298 | CVE-2019-12847 |
| IntelliJ IDEA | The default configuration for Spring Boot apps was not secure (IDEA-204439) | High | 2018.3.4, 2019.1 | CVE-2019-9186 |
| IntelliJ IDEA | The application server configuration allowed cleartext storage of secrets (IDEA-201519, IDEA-202483, IDEA-203271) | High | 2018.1.8, 2018.2.8, 2018.3.5, 2019.1 | CVE-2019-9872 |
| IntelliJ IDEA | The implementation of storage in the KeePass database was not secure (IDEA-200066) | Low | 2018.3, 2019.1 | CWE-922 |
| IntelliJ IDEA | A certain application server configuration allowed cleartext storage of secrets (IDEA-199911) | Low | 2018.3 | CWE-317 |
| IntelliJ IDEA | A certain application server configuration allowed cleartext storage of secrets (IDEA-203613) | Moderate | 2018.1.8, 2018.2.8, 2018.3.5 | CVE-2019-9823 |
| IntelliJ IDEA | A certain remote server configurations allowed cleartext storage of secrets (IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557) | High | 2019.1 | CVE-2019-9873 |
| IntelliJ IDEA | The run configuration of certain application servers allowed remote code execution while running the server with the default settings (IDEA-204570) | High | 2018.3.7, 2018.1.8, 2018.2.8, 2018.3.4 | CVE-2019-10103, CVE-2019-10104 |
| JetBrains Account | An open redirect vulnerability via the backUrl parameter was detected (JPF-8899) | Moderate | No fix version | CWE-601 |
| JetBrains Account | An open redirect vulnerability via the backUrl parameter was detected (JPF-8899) | Moderate | No fix version | CWE-444 |
| Kotlin | The JetBrains Kotlin project was resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. | Moderate | 1.3.30 | CVE-2019-10101 |
| Kotlin Plugin | IntelliJ IDEA projects created using the Kotlin IDE template were resolving artifacts using an http connection, potentially allowing an MITM attack. | Moderate | 1.3.30 | CVE-2019-10102 |
| Plugin Marketplace | Some HTTP Security Headers were missing (MP-2004) | Moderate | No fix version | CWE-693 |
| Plugin Marketplace | A reflected XSS was detected (MP-2001) | Moderate | No fix version | CWE-79 |
| Plugin Marketplace | A CSRF vulnerability was detected (MP-2002) | Moderate | No fix version | CWE-352 |
| PyCharm | A certain remote server configuration allowed cleartext storage of secrets (PY-32885) | Moderate | 2018.3.2 | CWE-209 |
| TeamCity | A possible stored JavaScript injection was detected (TW-59419) | Moderate | 2018.2.3 | CVE-2019-12844 |
| TeamCity | The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts (TW-59379) | Moderate | 2018.2.3 | CVE-2019-12845 |
| TeamCity | A possible stored JavaScript injection requiring a deliberate server administrator action was detected (TW-55640) | Moderate | 2018.2.3 | CVE-2019-12843 |
| TeamCity | Incorrect handling of user input in ZIP extraction (TW-57143) | Moderate | 2018.2.2 | CVE-2019-12841 |
| TeamCity | A reflected XSS on a user page was detected (TW-58661) | Moderate | 2018.2.2 | CVE-2019-12842 |
| TeamCity | A user without the required permissions could gain access to some settings (TW-58571) | Moderate | 2018.2.2 | CVE-2019-12846 |
| YouTrack | An SSRF attack was possible on a YouTrack server (JT-51121) | High | 2018.4.49168 | CVE-2019-12852 |
| YouTrack | An Insecure Direct Object Reference was possible (JT-51103) | Low | 2018.4.49168 | CVE-2019-12866 |
| YouTrack | Certain actions could cause privilege escalation for issue attachments (JT-51080) | Moderate | 2018.4.49168 | CVE-2019-12867 |
| YouTrack | A query injection was possible (JT-51105) | Low | 2018.4.49168 | CVE-2019-12850 |
| YouTrack Licensing | An unauthorized disclosure of license details to an attacker #2 was possible (JT-51117) | Low | No fix version | CWE-284 |
| YouTrack Licensing | A reflected XSS was detected (JT-51074) | Low | No fix version | CWE-79 |
| YouTrack | A CSRF vulnerability was detected in one of admin endpoints (JT-51110) | Moderate | 2018.4.49852 | CVE-2019-12851 |
| YouTrack Confluence Integration Plugin | The YouTrack Confluence plugin allowed the SSTI vulnerability (JT-51594) | Moderate | 1.8.1.3 | CVE-2019-10100 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
