JetBrains Security Bulletin Q1 2020

In the first quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore User’s SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833) Moderate Not applicable CWE-639
Datalore SSRF could be caused by an attached file. Reported by Callum Carney (DL-7836) High Not applicable CWE-918
GoLand Plain HTTP was used to access plugin repository (GO-8694) Low 2019.3.2 CVE-2020-11685
IntelliJ IDEA License server could be resolved to untrusted host in some cases (IDEA-219748) High 2020.1 CVE-2020-11690
JetBrains Account Non-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149) Low 2020.01 CWE-342
JetBrains Account Clickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154) Moderate 2020.01 CWE-1021
JetBrains Account Customer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301) High 2020.03 CWE-200
JetBrains Account Country value coming from a user wasn’t correctly validated (JPF-10258) High 2020.02 CWE-285
JetBrains Account Information disclosure from JetBrains Account was possible via the “Back” button. Reported by Ratnadip Gajbhiye (JPF-10266) Low 2020.02 CWE-200
JetBrains Website Reflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769) High Not applicable CWE-79
Hub Content spoofing at Hub OAuth error message was possible (JPS-10093) Moderate 2020.1.12099 CVE-2020-11691
Plugin Marketplace Uploading malicious file via Screenshots form could cause XSS (MP-2637) Moderate Not applicable CWE-79
PyCharm Apple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217) High 2019.3.3, 2019.2.6 CVE-2020-11694
Space Session timeout period was configured improperly (SPACE-4717) Low Not applicable CVE-2020-11795
Space Stored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556) Moderate Not applicable CVE-2020-11416
Space Password authentication implementation was insecure (SPACE-7282) High Not applicable CVE-2020-11796
TeamCity Password values were shown not being masked on several pages (TW-64186) Low 2019.2.2 CVE-2020-11687
TeamCity Project administrator was able to see scrambled password parameters used in a project (TW-58099) Moderate 2019.2.2 CVE-2020-11938
TeamCity Project administrator was able to retrieve some TeamCity server settings (TW-61626) Low 2019.1.4 CVE-2020-11686
TeamCity Application state kept alive after a user ended their session (TW-61824) Low 2019.2.1 CVE-2020-11688
TeamCity A user without appropriate permissions was able import settings from settings.kts (TW-63698) Low 2019.2.1 CVE-2020-11689
YouTrack DB export was accessible to read-only administrators (JT-56001) Low 2020.1.659 CVE-2020-11692
YouTrack DoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407) High 2020.1.659 CVE-2020-11693

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

This entry was posted in FYI, News and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *