JetBrains Security Bulletin Q2 2019

Posted on by Robert Demmer

This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the second quarter of 2019.

Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.

Product Description Severity Resolved in CVE/CWE
Exception Analyzer Insecure transfer of JetBrains Account credentials. (EXA-652) Critical Not applicable CWE-598
Hub No way to set a password to expire automatically. (JPS-8816) Low 2018.4.11436 CVE-2019-14955
IntelliJ IDEA Resolving artifacts using an http connection, potentially allowing an MITM attack. (IDEA-211231) High 2019.2 CVE-2019-14954
JetBrains Account Authorized account enumeration. (JPF-9370) Low 2019.5 CWE-204
JetBrains Account Cross-origin resource sharing misconfiguration (Reported by Vishnu Vardhan). (JPF-9095) Low 2019.5 CWE-942
JetBrains Account No rate limitation on the account details page. (JPF-9704) Moderate 2019.8 CWE-770
JetBrains Account No rate limitation on the licenses page. (JPF-9713) High 2019.9 CWE-770
JetBrains Account Unauthorized disclosure of license email on the licenses page. (JPF-9692) Critical 2019.8 CWE-284
JetBrains Website Reflected XSS. (JS-9853) Moderate Not Applicable CWE-79
Kotlin Ktor Command injection through LDAP username. Moderate 1.2.0-rc, 1.2.0 CVE-2019-12736
Kotlin Ktor Predictable Salt for user credentials. Moderate 1.2.0-rc2, 1.2.0 CVE-2019-12737
PyCharm Remote call causing an “out of memory” error was possible. (PY-35251) Low 2019.2 CVE-2019-14958
Rider Unsigned DLL was used in a distributive. (RIDER-27708) Moderate 2019.1.2 CVE-2019-14960
ReSharper DLL hijacking vulnerability. (RSRP-473674) High 2019.2 CVE-2019-16407
TeamCity Previously used unencrypted passwords were suggested by a web browser’s auto-completion. (TW-59759) Low 2019.1 CWE-200
TeamCity VMWare plugin did not check SSL certificate. (TW-59562) Moderate 2019.1 CVE-2019-15042
TeamCity Remote Code Execution on the server with certain network configurations. (TW-60430) Moderate 2019.1 CVE-2019-15039
TeamCity Project administrator could get unauthorized access to server-level data. (TW-60220) High 2019.1 CVE-2019-15035
TeamCity Project administrator could execute any command on the server machine. (TW-60219) High 2019.1 CVE-2019-15036
TeamCity Security has been tightened thanks to using additional HTTP headers. (TW-59034) High 2019.1 CVE-2019-15038
TeamCity Possible XSS vulnerabilities on the settings pages. (TW-59870, TW-59852, TW-59817, TW-59838, TW-59816) High 2019.1 CVE-2019-15037
TeamCity XSS vulnerability. (TW-61242, TW-61315) High 2019.1.2 CVE-2019-15848
Toolbox App Unencrypted connection to external resources, potentially allowed an MITM attack. (TBX-3327, ADM-30275) Low 1.15.5605 CVE-2019-14959, CWE-311
Upsource Insufficient escaping of code blocks. (UP-10387) Moderate 2019.1.1412 CVE-2019-14961
Upsource Credentials exposure via RPC command. (UP-10344) Critical 2018.2.1290 CVE-2019-12156
Upsource Credentials exposure via RPC command. (UP-10343) Critical 2018.2.1293 CVE-2019-12157
Vim Plugin Project data appeared in user level settings. (VIM-1184) Moderate 0.52 CVE-2019-14957
YouTrack A user could get a list of project names under certain conditions. (JT-53162) Low 2019.2.53938 CVE-2019-14956
YouTrack Stored XSS on the issue page. (JT-51077, JT-54121) High 2019.2.53938, 2019.2.57829 CVE-2019-14953, CVE-2019-16171
YouTrack Stored XSS in the issues list. (JT-52894) High 2019.1.52584 CVE-2019-14952
YouTrack A compromised URL was automatically whitelisted by YouTrack. (JT-47653) Low 2019.1.52545 CVE-2019-15041
YouTrack Cross-Site Request Forgery. (JT-30098) Low 2019.1 CVE-2019-15040

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop