FYI
Security
JetBrains Security Bulletin Q4 2019
In the fourth quarter of 2019, we resolved a series of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| IDETalk plugin | XXE in IDETalk plugin. (IDEA-220136 reported by Srikanth Ramu) | Moderate | 193.4099.10 | CVE-2019-18412 |
| IntelliJ IDEA | Some Maven repositories are accessed via HTTP instead of HTTPs. (IDEA-216282) | High | 2019.3 | CVE-2020-7904 |
| IntelliJ IDEA | Ports listened to by IntelliJ IDEA are exposed to the network. (IDEA-219695) | Low | 2019.3 | CVE-2020-7905 |
| IntelliJ IDEA | XSLT debugger plugin misconfiguration allows arbitrary file read over network. (IDEA-216621 reported by Anatoly Korniltsev) | Moderate | 2019.3 | CVE-2020-7914 |
| JetBrains Account | Profile names are exposed by email. (JPF-9219 reported by Timon Birk) | Low | 2019.11 | CWE-200 |
| JetBrains Account | Missing secure flag for cookie. (JPF-9857) | Low | 2019.11 | CWE-614 |
| JetBrains Account | Insufficient authentication on contact view. (JPF-10024) | High | 2019.11 | CWE-287 |
| JetBrains Account | Insufficient authentication on role update. (JPF-10025) | High | 2019.11 | CWE-287 |
| JetBrains Account | XSS on the spending report page. (JPF-10027) | Moderate | 2019.12 | CWE-79 |
| JetBrains Account | Open redirect during re-acceptance of license agreements. (JPF-10028) | Low | 2019.11 | CWE-601 |
| JetBrains Account | Information exposure during processing of license requests. (JPF-10111) | High | 2019.12 | CWE-200 |
| JetBrains Website | Cookie XSS at jetbrains.com. (JS-10969) | High | Not applicable | CWE-79 |
| Kotlin Ktor | The Ktor framework is vulnerable to HTTP Response Splitting. Reported by Jonathan Leitschuh | High | 1.2.6 | CVE-2019-19389 |
| Kotlin Ktor | The Ktor client resends authorization data to a redirect location. Reported by Jonathan Leitschu | Low | 1.2.6 | CVE-2019-19703 |
| Kotlin Ktor | Request smuggling is possible when both chunked Transfer-Encoding and Content-Length are specified. Reported by Jonathan Leitschuh | Low | 1.3.0 | CVE-2020-5207 |
| Plugin Marketplace | XSS on several pages. (MP-2617, MP-2640, MP-2642) | Low | Not applicable | CWE-79 |
| Plugin Marketplace | Improper access control during plugins upload. (MP-2695) | Critical | Not applicable | CWE-284 |
| Rider | Unsigned binaries in Windows installer. (RIDER-30393) | Moderate | 2019.3 | CVE-2020-7906 |
| Scala plugin | Artifact dependencies were resolved over unencrypted connections. (SCL-15063) | High | 2019.2.1 | CVE-2020-7907 |
| TeamCity | Reverse Tabnabbing is possible on several pages. (TW-61710, TW-61726, TW-61727) | Low | 2019.1.5 | CVE-2020-7908 |
| TeamCity | Some server-stored passwords can be shown via web UI. (TW-62674) | High | 2019.1.5 | CVE-2020-7909 |
| TeamCity | Possible stored XSS attack by a user with a developer role. (TW-63298) | Moderate | 2019.2 | CVE-2020-7910 |
| TeamCity | Stored XSS on user-level pages. (TW-63160) | High | 2019.2 | CVE-2020-7911 |
| YouTrack | CORS misconfiguration on youtrack.jetbrains.com. (JT-53675) | Moderate | Not applicable | CWE-346 |
| YouTrack | SMTP/Jabber settings can be accessed using backups. (JT-54139) | Moderate | 2019.2.59309 | CVE-2020-7912 |
| YouTrack | XSS via image upload at youtrack-workflow-converter.jetbrains.com. (JT-54589) | Low | Not applicable | CWE-80 |
| YouTrack | XSS via issue description. (JT-54719) | High | 2019.2.59309 | CVE-2020-7913 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
