JetBrains Security Bulletin Q3 2019

Posted on by Robert Demmer

In the third quarter of 2019, we resolved a series of security issues in our products.

Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Hub Username enumeration was possible through password recovery. (JPS-9655, JPS-9938) Note 2019.1.11738 CVE-2019-18360
IntelliJ IDEA Local user privilege escalation potentially allowed arbitrary code execution. (IDEA-216623) Low 2019.2 CVE-2019-18361
JetBrains Account Account removal without re-authentication was possible. (JPF-9611 reported by Siamul Islam) Moderate 2019.9 CWE-306
JetBrains Account Password reset link was not invalidated during password change through profile. (JPF-9610 reported by Elliot V. Daniel) Moderate 2019.8 CWE-613
MPS Ports listened to by MPS are exposed to the network. (MPS-30661) Low 2019.2.2 CVE-2019-18362
TeamCity Access could be gained to the history of builds of a deleted build configuration under some circumstances. (TW-60957) Moderate 2019.1.2 CVE-2019-18363
TeamCity Insecure Java Deserialization could potentially allow RCE. (TW-61928 reported by Aleksei “GreenDog” Tiurin) Moderate 2019.1.4 CVE-2019-18364
TeamCity Reverse tabnabbing was possible on several pages. (TW-61323, TW-61725, TW-61726, TW-61646, TW-62123) Low 2019.1.4 CVE-2019-18365
TeamCity Secure values could be exposed to users with the ‘View build runtime parameters and data’ permission. Low 2019.1.2 CVE-2019-18366
TeamCity A non-destructive operation could be performed by a user without the corresponding permissions. (TW-61107) Low 2019.1.2 CVE-2019-18367
Toolbox App Privilege escalation was possible in the JetBrains Toolbox App for Windows. (TBX-3759) Low 1.15.5666 CVE-2019-18368
YouTrack Sending of arbitrary spam email from a YouTrack instance was possible. (JT-54136, ADM-13823, ADM-34971) Low Not applicable CWE-285
YouTrack Removing tags from issues list without corresponding permission was possible. (JT-53465) Low 2019.2.55152 CVE-2019-18369

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop