FYI
Security
JetBrains Security Bulletin Q2 2019
This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the second quarter of 2019.
Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Exception Analyzer | Insecure transfer of JetBrains Account credentials. (EXA-652) | Critical | Not applicable | CWE-598 |
| Hub | No way to set a password to expire automatically. (JPS-8816) | Low | 2018.4.11436 | CVE-2019-14955 |
| IntelliJ IDEA | Resolving artifacts using an http connection, potentially allowing an MITM attack. (IDEA-211231) | High | 2019.2 | CVE-2019-14954 |
| JetBrains Account | Authorized account enumeration. (JPF-9370) | Low | 2019.5 | CWE-204 |
| JetBrains Account | Cross-origin resource sharing misconfiguration (Reported by Vishnu Vardhan). (JPF-9095) | Low | 2019.5 | CWE-942 |
| JetBrains Account | No rate limitation on the account details page. (JPF-9704) | Moderate | 2019.8 | CWE-770 |
| JetBrains Account | No rate limitation on the licenses page. (JPF-9713) | High | 2019.9 | CWE-770 |
| JetBrains Account | Unauthorized disclosure of license email on the licenses page. (JPF-9692) | Critical | 2019.8 | CWE-284 |
| JetBrains Website | Reflected XSS. (JS-9853) | Moderate | Not Applicable | CWE-79 |
| Kotlin Ktor | Command injection through LDAP username. | Moderate | 1.2.0-rc, 1.2.0 | CVE-2019-12736 |
| Kotlin Ktor | Predictable Salt for user credentials. | Moderate | 1.2.0-rc2, 1.2.0 | CVE-2019-12737 |
| PyCharm | Remote call causing an “out of memory” error was possible. (PY-35251) | Low | 2019.2 | CVE-2019-14958 |
| Rider | Unsigned DLL was used in a distributive. (RIDER-27708) | Moderate | 2019.1.2 | CVE-2019-14960 |
| ReSharper | DLL hijacking vulnerability. (RSRP-473674) | High | 2019.2 | CVE-2019-16407 |
| TeamCity | Previously used unencrypted passwords were suggested by a web browser’s auto-completion. (TW-59759) | Low | 2019.1 | CWE-200 |
| TeamCity | VMWare plugin did not check SSL certificate. (TW-59562) | Moderate | 2019.1 | CVE-2019-15042 |
| TeamCity | Remote Code Execution on the server with certain network configurations. (TW-60430) | Moderate | 2019.1 | CVE-2019-15039 |
| TeamCity | Project administrator could get unauthorized access to server-level data. (TW-60220) | High | 2019.1 | CVE-2019-15035 |
| TeamCity | Project administrator could execute any command on the server machine. (TW-60219) | High | 2019.1 | CVE-2019-15036 |
| TeamCity | Security has been tightened thanks to using additional HTTP headers. (TW-59034) | High | 2019.1 | CVE-2019-15038 |
| TeamCity | Possible XSS vulnerabilities on the settings pages. (TW-59870, TW-59852, TW-59817, TW-59838, TW-59816) | High | 2019.1 | CVE-2019-15037 |
| TeamCity | XSS vulnerability. (TW-61242, TW-61315) | High | 2019.1.2 | CVE-2019-15848 |
| Toolbox App | Unencrypted connection to external resources, potentially allowed an MITM attack. (TBX-3327, ADM-30275) | Low | 1.15.5605 | CVE-2019-14959, CWE-311 |
| Upsource | Insufficient escaping of code blocks. (UP-10387) | Moderate | 2019.1.1412 | CVE-2019-14961 |
| Upsource | Credentials exposure via RPC command. (UP-10344) | Critical | 2018.2.1290 | CVE-2019-12156 |
| Upsource | Credentials exposure via RPC command. (UP-10343) | Critical | 2018.2.1293 | CVE-2019-12157 |
| Vim Plugin | Project data appeared in user level settings. (VIM-1184) | Moderate | 0.52 | CVE-2019-14957 |
| YouTrack | A user could get a list of project names under certain conditions. (JT-53162) | Low | 2019.2.53938 | CVE-2019-14956 |
| YouTrack | Stored XSS on the issue page. (JT-51077, JT-54121) | High | 2019.2.53938, 2019.2.57829 | CVE-2019-14953, CVE-2019-16171 |
| YouTrack | Stored XSS in the issues list. (JT-52894) | High | 2019.1.52584 | CVE-2019-14952 |
| YouTrack | A compromised URL was automatically whitelisted by YouTrack. (JT-47653) | Low | 2019.1.52545 | CVE-2019-15041 |
| YouTrack | Cross-Site Request Forgery. (JT-30098) | Low | 2019.1 | CVE-2019-15040 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
