This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the first quarter of 2019.
These include issues reported by Jonathan Leitschuh potentially exposing a product user or a project’s infrastructure to man-in-the-middle attacks, namely
- resolving Gradle, Maven, and sbt project artifacts over an unencrypted connection in various projects; and
- generating project templates in an IDE causing the above-mentioned issue in a user’s project.
We’ve also run extended verification of the secret storage mechanism in our IDEs’ settings, and identified and fixed several cases of cleartext secret storage.
Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.
|CLion||The suggested WSL configuration exposed a local SSH server to the internal network (CPP-15063)||Moderate||No fix versions||CWE-276|
|Documentation||JetBrains GitHub repositories had a world-editable wiki.(DOC-6532) Reported by Bogdan Gagea||Moderate||No fix versions||CWE-732|
|Hub||A user password could appear in the audit events for certain server settings (JPS-7895)||High||2018.4.11298||CVE-2019-12847|
|IntelliJ IDEA||The default configuration for Spring Boot apps was not secure (IDEA-204439)||High||2018.3.4, 2019.1||CVE-2019-9186|
|IntelliJ IDEA||The application server configuration allowed cleartext storage of secrets (IDEA-201519, IDEA-202483, IDEA-203271)||High||2018.1.8, 2018.2.8, 2018.3.5, 2019.1||CVE-2019-9872|
|IntelliJ IDEA||The implementation of storage in the KeePass database was not secure (IDEA-200066)||Low||2018.3, 2019.1||CWE-922|
|IntelliJ IDEA||A certain application server configuration allowed cleartext storage of secrets (IDEA-199911)||Low||2018.3||CWE-317|
|IntelliJ IDEA||A certain application server configuration allowed cleartext storage of secrets (IDEA-203613)||Moderate||2018.1.8, 2018.2.8, 2018.3.5||CVE-2019-9823|
|IntelliJ IDEA||A certain remote server configurations allowed cleartext storage of secrets (IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557)||High||2019.1||CVE-2019-9873|
|IntelliJ IDEA||The run configuration of certain application servers allowed remote code execution while running the server with the default settings (IDEA-204570)||High||2018.3.7, 2018.1.8, 2018.2.8, 2018.3.4||CVE-2019-10103, CVE-2019-10104|
|JetBrains Account||An open redirect vulnerability via the backUrl parameter was detected (JPF-8899)||Moderate||No fix version||CWE-601|
|JetBrains Account||An open redirect vulnerability via the backUrl parameter was detected (JPF-8899)||Moderate||No fix version||CWE-444|
|Kotlin||The JetBrains Kotlin project was resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.||Moderate||1.3.30||CVE-2019-10101|
|Kotlin Plugin||IntelliJ IDEA projects created using the Kotlin IDE template were resolving artifacts using an http connection, potentially allowing an MITM attack.||Moderate||1.3.30||CVE-2019-10102|
|Plugin Marketplace||Some HTTP Security Headers were missing (MP-2004)||Moderate||No fix version||CWE-693|
|Plugin Marketplace||A reflected XSS was detected (MP-2001)||Moderate||No fix version||CWE-79|
|Plugin Marketplace||A CSRF vulnerability was detected (MP-2002)||Moderate||No fix version||CWE-352|
|PyCharm||A certain remote server configuration allowed cleartext storage of secrets (PY-32885)||Moderate||2018.3.2||CWE-209|
|TeamCity||The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts (TW-59379)||Moderate||2018.2.3||CVE-2019-12845|
|TeamCity||Incorrect handling of user input in ZIP extraction (TW-57143)||Moderate||2018.2.2||CVE-2019-12841|
|TeamCity||A reflected XSS on a user page was detected (TW-58661)||Moderate||2018.2.2||CVE-2019-12842|
|TeamCity||A user without the required permissions could gain access to some settings (TW-58571)||Moderate||2018.2.2||CVE-2019-12846|
|YouTrack||An SSRF attack was possible on a YouTrack server (JT-51121)||High||2018.4.49168||CVE-2019-12852|
|YouTrack||An Insecure Direct Object Reference was possible (JT-51103)||Low||2018.4.49168||CVE-2019-12866|
|YouTrack||Certain actions could cause privilege escalation for issue attachments (JT-51080)||Moderate||2018.4.49168||CVE-2019-12867|
|YouTrack||A query injection was possible (JT-51105)||Low||2018.4.49168||CVE-2019-12850|
|YouTrack Licensing||An unauthorized disclosure of license details to an attacker #2 was possible (JT-51117)||Low||No fix version||CWE-284|
|YouTrack Licensing||A reflected XSS was detected (JT-51074)||Low||No fix version||CWE-79|
|YouTrack||A CSRF vulnerability was detected in one of admin endpoints (JT-51110)||Moderate||2018.4.49852||CVE-2019-12851|
|YouTrack Confluence Integration Plugin||The YouTrack Confluence plugin allowed the SSTI vulnerability (JT-51594)||Moderate||220.127.116.11||CVE-2019-10100|
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop