JetBrains Security Bulletin Q1 2019

This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the first quarter of 2019.

These include issues reported by Jonathan Leitschuh potentially exposing a product user or a project’s infrastructure to man-in-the-middle attacks, namely

  • resolving Gradle, Maven, and sbt project artifacts over an unencrypted connection in various projects; and
  • generating project templates in an IDE causing the above-mentioned issue in a user’s project.

We’ve also run extended verification of the secret storage mechanism in our IDEs’ settings, and identified and fixed several cases of cleartext secret storage.

Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.

Product Description Severity Resolved in CVE/CWE
CLion The suggested WSL configuration exposed a local SSH server to the internal network (CPP-15063) Moderate No fix versions CWE-276
Documentation JetBrains GitHub repositories had a world-editable wiki.(DOC-6532) Reported by Bogdan Gagea Moderate No fix versions CWE-732
Hub A user password could appear in the audit events for certain server settings (JPS-7895) High 2018.4.11298 CVE-2019-12847
IntelliJ IDEA The default configuration for Spring Boot apps was not secure (IDEA-204439) High 2018.3.4, 2019.1 CVE-2019-9186
IntelliJ IDEA The application server configuration allowed cleartext storage of secrets (IDEA-201519, IDEA-202483, IDEA-203271) High 2018.1.8, 2018.2.8, 2018.3.5, 2019.1 CVE-2019-9872
IntelliJ IDEA The implementation of storage in the KeePass database was not secure (IDEA-200066) Low 2018.3, 2019.1 CWE-922
IntelliJ IDEA A certain application server configuration allowed cleartext storage of secrets (IDEA-199911) Low 2018.3 CWE-317
IntelliJ IDEA A certain application server configuration allowed cleartext storage of secrets (IDEA-203613) Moderate 2018.1.8, 2018.2.8, 2018.3.5 CVE-2019-9823
IntelliJ IDEA A certain remote server configurations allowed cleartext storage of secrets (IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557) High 2019.1 CVE-2019-9873
IntelliJ IDEA The run configuration of certain application servers allowed remote code execution while running the server with the default settings (IDEA-204570) High 2018.3.7, 2018.1.8, 2018.2.8, 2018.3.4 CVE-2019-10103, CVE-2019-10104
JetBrains Account An open redirect vulnerability via the backUrl parameter was detected (JPF-8899) Moderate No fix version CWE-601
JetBrains Account An open redirect vulnerability via the backUrl parameter was detected (JPF-8899) Moderate No fix version CWE-444
Kotlin The JetBrains Kotlin project was resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. Moderate 1.3.30 CVE-2019-10101
Kotlin Plugin IntelliJ IDEA projects created using the Kotlin IDE template were resolving artifacts using an http connection, potentially allowing an MITM attack. Moderate 1.3.30 CVE-2019-10102
Plugin Marketplace Some HTTP Security Headers were missing (MP-2004) Moderate No fix version CWE-693
Plugin Marketplace A reflected XSS was detected (MP-2001) Moderate No fix version CWE-79
Plugin Marketplace A CSRF vulnerability was detected (MP-2002) Moderate No fix version CWE-352
PyCharm A certain remote server configuration allowed cleartext storage of secrets (PY-32885) Moderate 2018.3.2 CWE-209
TeamCity A possible stored JavaScript injection was detected (TW-59419) Moderate 2018.2.3 CVE-2019-12844
TeamCity The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts (TW-59379) Moderate 2018.2.3 CVE-2019-12845
TeamCity A possible stored JavaScript injection requiring a deliberate server administrator action was detected (TW-55640) Moderate 2018.2.3 CVE-2019-12843
TeamCity Incorrect handling of user input in ZIP extraction (TW-57143) Moderate 2018.2.2 CVE-2019-12841
TeamCity A reflected XSS on a user page was detected (TW-58661) Moderate 2018.2.2 CVE-2019-12842
TeamCity A user without the required permissions could gain access to some settings (TW-58571) Moderate 2018.2.2 CVE-2019-12846
YouTrack An SSRF attack was possible on a YouTrack server (JT-51121) High 2018.4.49168 CVE-2019-12852
YouTrack An Insecure Direct Object Reference was possible (JT-51103) Low 2018.4.49168 CVE-2019-12866
YouTrack Certain actions could cause privilege escalation for issue attachments (JT-51080) Moderate 2018.4.49168 CVE-2019-12867
YouTrack A query injection was possible (JT-51105) Low 2018.4.49168 CVE-2019-12850
YouTrack Licensing An unauthorized disclosure of license details to an attacker #2 was possible (JT-51117) Low No fix version CWE-284
YouTrack Licensing A reflected XSS was detected (JT-51074) Low No fix version CWE-79
YouTrack A CSRF vulnerability was detected in one of admin endpoints (JT-51110) Moderate 2018.4.49852 CVE-2019-12851
YouTrack Confluence Integration Plugin The YouTrack Confluence plugin allowed the SSTI vulnerability (JT-51594) Moderate 1.8.1.3 CVE-2019-10100

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *