JetBrains Security Bulletin Q3 2019

In the third quarter of 2019, we resolved a series of security issues in our products.

Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Hub Username enumeration was possible through password recovery. (JPS-9655, JPS-9938) Note 2019.1.11738 CVE-2019-18360
IntelliJ IDEA Local user privilege escalation potentially allowed arbitrary code execution. (IDEA-216623) Low 2019.2 CVE-2019-18361
JetBrains Account Account removal without re-authentication was possible. (JPF-9611 reported by Siamul Islam) Moderate 2019.9 CWE-306
JetBrains Account Password reset link was not invalidated during password change through profile. (JPF-9610 reported by Elliot V. Daniel) Moderate 2019.8 CWE-613
MPS Ports listened to by MPS are exposed to the network. (MPS-30661) Low 2019.2.2 CVE-2019-18362
TeamCity Access could be gained to the history of builds of a deleted build configuration under some circumstances. (TW-60957) Moderate 2019.1.2 CVE-2019-18363
TeamCity Insecure Java Deserialization could potentially allow RCE. (TW-61928 reported by Aleksei “GreenDog” Tiurin) Moderate 2019.1.4 CVE-2019-18364
TeamCity Reverse tabnabbing was possible on several pages. (TW-61323, TW-61725, TW-61726, TW-61646, TW-62123) Low 2019.1.4 CVE-2019-18365
TeamCity Secure values could be exposed to users with the ‘View build runtime parameters and data’ permission. Low 2019.1.2 CVE-2019-18366
TeamCity A non-destructive operation could be performed by a user without the corresponding permissions. (TW-61107) Low 2019.1.2 CVE-2019-18367
Toolbox App Privilege escalation was possible in the JetBrains Toolbox App for Windows. (TBX-3759) Low 1.15.5666 CVE-2019-18368
YouTrack Sending of arbitrary spam email from a YouTrack instance was possible. (JT-54136, ADM-13823, ADM-34971) Low Not applicable CWE-285
YouTrack Removing tags from issues list without corresponding permission was possible. (JT-53465) Low 2019.2.55152 CVE-2019-18369

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

This entry was posted in FYI, Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *