JetBrains Security Bulletin Q2 2019

This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the second quarter of 2019.

Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.

Product Description Severity Resolved in CVE/CWE
Exception Analyzer Insecure transfer of JetBrains Account credentials. (EXA-652) Critical Not applicable CWE-598
Hub No way to set a password to expire automatically. (JPS-8816) Low 2018.4.11436 CVE-2019-14955
IntelliJ IDEA Resolving artifacts using an http connection, potentially allowing an MITM attack. (IDEA-211231) High 2019.2 CVE-2019-14954
JetBrains Account Authorized account enumeration. (JPF-9370) Low 2019.5 CWE-204
JetBrains Account Cross-origin resource sharing misconfiguration (Reported by Vishnu Vardhan). (JPF-9095) Low 2019.5 CWE-942
JetBrains Account No rate limitation on the account details page. (JPF-9704) Moderate 2019.8 CWE-770
JetBrains Account No rate limitation on the licenses page. (JPF-9713) High 2019.9 CWE-770
JetBrains Account Unauthorized disclosure of license email on the licenses page. (JPF-9692) Critical 2019.8 CWE-284
JetBrains Website Reflected XSS. (JS-9853) Moderate Not Applicable CWE-79
Kotlin Ktor Command injection through LDAP username. Moderate 1.2.0-rc, 1.2.0 CVE-2019-12736
Kotlin Ktor Predictable Salt for user credentials. Moderate 1.2.0-rc2, 1.2.0 CVE-2019-12737
PyCharm Remote call causing an “out of memory” error was possible. (PY-35251) Low 2019.2 CVE-2019-14958
Rider Unsigned DLL was used in a distributive. (RIDER-27708) Moderate 2019.1.2 CVE-2019-14960
ReSharper DLL hijacking vulnerability. (RSRP-473674) High 2019.2 CVE-2019-16407
TeamCity Previously used unencrypted passwords were suggested by a web browser’s auto-completion. (TW-59759) Low 2019.1 CWE-200
TeamCity VMWare plugin did not check SSL certificate. (TW-59562) Moderate 2019.1 CVE-2019-15042
TeamCity Remote Code Execution on the server with certain network configurations. (TW-60430) Moderate 2019.1 CVE-2019-15039
TeamCity Project administrator could get unauthorized access to server-level data. (TW-60220) High 2019.1 CVE-2019-15035
TeamCity Project administrator could execute any command on the server machine. (TW-60219) High 2019.1 CVE-2019-15036
TeamCity Security has been tightened thanks to using additional HTTP headers. (TW-59034) High 2019.1 CVE-2019-15038
TeamCity Possible XSS vulnerabilities on the settings pages. (TW-59870, TW-59852, TW-59817, TW-59838, TW-59816) High 2019.1 CVE-2019-15037
TeamCity XSS vulnerability. (TW-61242, TW-61315) High 2019.1.2 CVE-2019-15848
Toolbox App Unencrypted connection to external resources, potentially allowed an MITM attack. (TBX-3327, ADM-30275) Low 1.15.5605 CVE-2019-14959, CWE-311
Upsource Insufficient escaping of code blocks. (UP-10387) Moderate 2019.1.1412 CVE-2019-14961
Upsource Credentials exposure via RPC command. (UP-10344) Critical 2018.2.1290 CVE-2019-12156
Upsource Credentials exposure via RPC command. (UP-10343) Critical 2018.2.1293 CVE-2019-12157
Vim Plugin Project data appeared in user level settings. (VIM-1184) Moderate 0.52 CVE-2019-14957
YouTrack A user could get a list of project names under certain conditions. (JT-53162) Low 2019.2.53938 CVE-2019-14956
YouTrack Stored XSS on the issue page. (JT-51077, JT-54121) High 2019.2.53938, 2019.2.57829 CVE-2019-14953, CVE-2019-16171
YouTrack Stored XSS in the issues list. (JT-52894) High 2019.1.52584 CVE-2019-14952
YouTrack A compromised URL was automatically whitelisted by YouTrack. (JT-47653) Low 2019.1.52545 CVE-2019-15041
YouTrack Cross-Site Request Forgery. (JT-30098) Low 2019.1 CVE-2019-15040

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

This entry was posted in FYI, Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *