JetBrains Security Bulletin Q4 2019

Robert Demmer

In the fourth quarter of 2019, we resolved a series of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
IDETalk plugin XXE in IDETalk plugin. (IDEA-220136 reported by Srikanth Ramu) Moderate 193.4099.10 CVE-2019-18412
IntelliJ IDEA Some Maven repositories are accessed via HTTP instead of HTTPs. (IDEA-216282) High 2019.3 CVE-2020-7904
IntelliJ IDEA Ports listened to by IntelliJ IDEA are exposed to the network. (IDEA-219695) Low 2019.3 CVE-2020-7905
IntelliJ IDEA XSLT debugger plugin misconfiguration allows arbitrary file read over network. (IDEA-216621 reported by Anatoly Korniltsev) Moderate 2019.3 CVE-2020-7914
JetBrains Account Profile names are exposed by email. (JPF-9219 reported by Timon Birk) Low 2019.11 CWE-200
JetBrains Account Missing secure flag for cookie. (JPF-9857) Low 2019.11 CWE-614
JetBrains Account Insufficient authentication on contact view. (JPF-10024) High 2019.11 CWE-287
JetBrains Account Insufficient authentication on role update. (JPF-10025) High 2019.11 CWE-287
JetBrains Account XSS on the spending report page. (JPF-10027) Moderate 2019.12 CWE-79
JetBrains Account Open redirect during re-acceptance of license agreements. (JPF-10028) Low 2019.11 CWE-601
JetBrains Account Information exposure during processing of license requests. (JPF-10111) High 2019.12 CWE-200
JetBrains Website Cookie XSS at jetbrains.com. (JS-10969) High Not applicable CWE-79
Kotlin Ktor The Ktor framework is vulnerable to HTTP Response Splitting. Reported by Jonathan Leitschuh High 1.2.6 CVE-2019-19389
Kotlin Ktor The Ktor client resends authorization data to a redirect location. Reported by Jonathan Leitschu Low 1.2.6 CVE-2019-19703
Kotlin Ktor Request smuggling is possible when both chunked Transfer-Encoding and Content-Length are specified. Reported by Jonathan Leitschuh Low 1.3.0 CVE-2020-5207
Plugin Marketplace XSS on several pages. (MP-2617, MP-2640, MP-2642) Low Not applicable CWE-79
Plugin Marketplace Improper access control during plugins upload. (MP-2695) Critical Not applicable CWE-284
Rider Unsigned binaries in Windows installer. (RIDER-30393) Moderate 2019.3 CVE-2020-7906
Scala plugin Artifact dependencies were resolved over unencrypted connections. (SCL-15063) High 2019.2.1 CVE-2020-7907
TeamCity Reverse Tabnabbing is possible on several pages. (TW-61710, TW-61726, TW-61727) Low 2019.1.5 CVE-2020-7908
TeamCity Some server-stored passwords can be shown via web UI. (TW-62674) High 2019.1.5 CVE-2020-7909
TeamCity Possible stored XSS attack by a user with a developer role. (TW-63298) Moderate 2019.2 CVE-2020-7910
TeamCity Stored XSS on user-level pages. (TW-63160) High 2019.2 CVE-2020-7911
YouTrack CORS misconfiguration on youtrack.jetbrains.com. (JT-53675) Moderate Not applicable CWE-346
YouTrack SMTP/Jabber settings can be accessed using backups. (JT-54139) Moderate 2019.2.59309 CVE-2020-7912
YouTrack XSS via image upload at youtrack-workflow-converter.jetbrains.com. (JT-54589) Low Not applicable CWE-80
YouTrack XSS via issue description. (JT-54719) High 2019.2.59309 CVE-2020-7913

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop