JetBrains Security Bulletin Q1 2020
In the first quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
|Datalore||User’s SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833)||Moderate||Not applicable||CWE-639|
|Datalore||SSRF could be caused by an attached file. Reported by Callum Carney (DL-7836)||High||Not applicable||CWE-918|
|GoLand||Plain HTTP was used to access plugin repository (GO-8694)||Low||2019.3.2||CVE-2020-11685|
|IntelliJ IDEA||License server could be resolved to untrusted host in some cases (IDEA-219748)||High||2020.1||CVE-2020-11690|
|JetBrains Account||Non-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149)||Low||2020.01||CWE-342|
|JetBrains Account||Clickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154)||Moderate||2020.01||CWE-1021|
|JetBrains Account||Customer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301)||High||2020.03||CWE-200|
|JetBrains Account||Country value coming from a user wasn’t correctly validated (JPF-10258)||High||2020.02||CWE-285|
|JetBrains Account||Information disclosure from JetBrains Account was possible via the “Back” button. Reported by Ratnadip Gajbhiye (JPF-10266)||Low||2020.02||CWE-200|
|JetBrains Website||Reflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769)||High||Not applicable||CWE-79|
|Hub||Content spoofing at Hub OAuth error message was possible (JPS-10093)||Moderate||2020.1.12099||CVE-2020-11691|
|Plugin Marketplace||Uploading malicious file via Screenshots form could cause XSS (MP-2637)||Moderate||Not applicable||CWE-79|
|PyCharm||Apple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217)||High||2019.3.3, 2019.2.6||CVE-2020-11694|
|Space||Session timeout period was configured improperly (SPACE-4717)||Low||Not applicable||CVE-2020-11795|
|Space||Stored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556)||Moderate||Not applicable||CVE-2020-11416|
|Space||Password authentication implementation was insecure (SPACE-7282)||High||Not applicable||CVE-2020-11796|
|TeamCity||Password values were shown not being masked on several pages (TW-64186)||Low||2019.2.2||CVE-2020-11687|
|TeamCity||Project administrator was able to see scrambled password parameters used in a project (TW-58099)||Moderate||2019.2.2||CVE-2020-11938|
|TeamCity||Project administrator was able to retrieve some TeamCity server settings (TW-61626)||Low||2019.1.4||CVE-2020-11686|
|TeamCity||Application state kept alive after a user ended their session (TW-61824)||Low||2019.2.1||CVE-2020-11688|
|TeamCity||A user without appropriate permissions was able import settings from settings.kts (TW-63698)||Low||2019.2.1||CVE-2020-11689|
|YouTrack||DB export was accessible to read-only administrators (JT-56001)||Low||2020.1.659||CVE-2020-11692|
|YouTrack||DoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407)||High||2020.1.659||CVE-2020-11693|
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to Blog updates
Thanks, we've got you!