FYI
Security
JetBrains Security Bulletin Q3 2019
In the third quarter of 2019, we resolved a series of security issues in our products.
Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Hub | Username enumeration was possible through password recovery. (JPS-9655, JPS-9938) | Note | 2019.1.11738 | CVE-2019-18360 |
| IntelliJ IDEA | Local user privilege escalation potentially allowed arbitrary code execution. (IDEA-216623) | Low | 2019.2 | CVE-2019-18361 |
| JetBrains Account | Account removal without re-authentication was possible. (JPF-9611 reported by Siamul Islam) | Moderate | 2019.9 | CWE-306 |
| JetBrains Account | Password reset link was not invalidated during password change through profile. (JPF-9610 reported by Elliot V. Daniel) | Moderate | 2019.8 | CWE-613 |
| MPS | Ports listened to by MPS are exposed to the network. (MPS-30661) | Low | 2019.2.2 | CVE-2019-18362 |
| TeamCity | Access could be gained to the history of builds of a deleted build configuration under some circumstances. (TW-60957) | Moderate | 2019.1.2 | CVE-2019-18363 |
| TeamCity | Insecure Java Deserialization could potentially allow RCE. (TW-61928 reported by Aleksei “GreenDog” Tiurin) | Moderate | 2019.1.4 | CVE-2019-18364 |
| TeamCity | Reverse tabnabbing was possible on several pages. (TW-61323, TW-61725, TW-61726, TW-61646, TW-62123) | Low | 2019.1.4 | CVE-2019-18365 |
| TeamCity | Secure values could be exposed to users with the ‘View build runtime parameters and data’ permission. | Low | 2019.1.2 | CVE-2019-18366 |
| TeamCity | A non-destructive operation could be performed by a user without the corresponding permissions. (TW-61107) | Low | 2019.1.2 | CVE-2019-18367 |
| Toolbox App | Privilege escalation was possible in the JetBrains Toolbox App for Windows. (TBX-3759) | Low | 1.15.5666 | CVE-2019-18368 |
| YouTrack | Sending of arbitrary spam email from a YouTrack instance was possible. (JT-54136, ADM-13823, ADM-34971) | Low | Not applicable | CWE-285 |
| YouTrack | Removing tags from issues list without corresponding permission was possible. (JT-53465) | Low | 2019.2.55152 | CVE-2019-18369 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
