JetBrains Security Bulletin Q3 2019
In the third quarter of 2019, we resolved a series of security issues in our products.
Here’s a summary report that contains a description of each issue and the version in which it was resolved.
|Hub||Username enumeration was possible through password recovery. (JPS-9655, JPS-9938)||Note||2019.1.11738||CVE-2019-18360|
|IntelliJ IDEA||Local user privilege escalation potentially allowed arbitrary code execution. (IDEA-216623)||Low||2019.2||CVE-2019-18361|
|JetBrains Account||Account removal without re-authentication was possible. (JPF-9611 reported by Siamul Islam)||Moderate||2019.9||CWE-306|
|JetBrains Account||Password reset link was not invalidated during password change through profile. (JPF-9610 reported by Elliot V. Daniel)||Moderate||2019.8||CWE-613|
|MPS||Ports listened to by MPS are exposed to the network. (MPS-30661)||Low||2019.2.2||CVE-2019-18362|
|TeamCity||Access could be gained to the history of builds of a deleted build configuration under some circumstances. (TW-60957)||Moderate||2019.1.2||CVE-2019-18363|
|TeamCity||Insecure Java Deserialization could potentially allow RCE. (TW-61928 reported by Aleksei “GreenDog” Tiurin)||Moderate||2019.1.4||CVE-2019-18364|
|TeamCity||Reverse tabnabbing was possible on several pages. (TW-61323, TW-61725, TW-61726, TW-61646, TW-62123)||Low||2019.1.4||CVE-2019-18365|
|TeamCity||Secure values could be exposed to users with the ‘View build runtime parameters and data’ permission.||Low||2019.1.2||CVE-2019-18366|
|TeamCity||A non-destructive operation could be performed by a user without the corresponding permissions. (TW-61107)||Low||2019.1.2||CVE-2019-18367|
|Toolbox App||Privilege escalation was possible in the JetBrains Toolbox App for Windows. (TBX-3759)||Low||1.15.5666||CVE-2019-18368|
|YouTrack||Sending of arbitrary spam email from a YouTrack instance was possible. (JT-54136, ADM-13823, ADM-34971)||Low||Not applicable||CWE-285|
|YouTrack||Removing tags from issues list without corresponding permission was possible. (JT-53465)||Low||2019.2.55152||CVE-2019-18369|
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to Blog updates
Thanks, we've got you!