In the third quarter of 2019, we resolved a series of security issues in our products.
Here’s a summary report that contains a description of each issue and the version in which it was resolved.
|Hub||Username enumeration was possible through password recovery. (JPS-9655, JPS-9938)||Note||2019.1.11738||CVE-2019-18360|
|IntelliJ IDEA||Local user privilege escalation potentially allowed arbitrary code execution. (IDEA-216623)||Low||2019.2||CVE-2019-18361|
|JetBrains Account||Account removal without re-authentication was possible. (JPF-9611 reported by Siamul Islam)||Moderate||2019.9||CWE-306|
|JetBrains Account||Password reset link was not invalidated during password change through profile. (JPF-9610 reported by Elliot V. Daniel)||Moderate||2019.8||CWE-613|
|MPS||Ports listened to by MPS are exposed to the network. (MPS-30661)||Low||2019.2.2||CVE-2019-18362|
|TeamCity||Access could be gained to the history of builds of a deleted build configuration under some circumstances. (TW-60957)||Moderate||2019.1.2||CVE-2019-18363|
|TeamCity||Insecure Java Deserialization could potentially allow RCE. (TW-61928 reported by Aleksei “GreenDog” Tiurin)||Moderate||2019.1.4||CVE-2019-18364|
|TeamCity||Reverse tabnabbing was possible on several pages. (TW-61323, TW-61725, TW-61726, TW-61646, TW-62123)||Low||2019.1.4||CVE-2019-18365|
|TeamCity||Secure values could be exposed to users with the ‘View build runtime parameters and data’ permission.||Low||2019.1.2||CVE-2019-18366|
|TeamCity||A non-destructive operation could be performed by a user without the corresponding permissions. (TW-61107)||Low||2019.1.2||CVE-2019-18367|
|Toolbox App||Privilege escalation was possible in the JetBrains Toolbox App for Windows. (TBX-3759)||Low||1.15.5666||CVE-2019-18368|
|YouTrack||Sending of arbitrary spam email from a YouTrack instance was possible. (JT-54136, ADM-13823, ADM-34971)||Low||Not applicable||CWE-285|
|YouTrack||Removing tags from issues list without corresponding permission was possible. (JT-53465)||Low||2019.2.55152||CVE-2019-18369|
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop