JetBrains Security Bulletin Q1 2020

Posted on by Robert Demmer

In the first quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore User’s SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833) Moderate Not applicable CWE-639
Datalore SSRF could be caused by an attached file. Reported by Callum Carney (DL-7836) High Not applicable CWE-918
GoLand Plain HTTP was used to access plugin repository (GO-8694) Low 2019.3.2 CVE-2020-11685
IntelliJ IDEA License server could be resolved to untrusted host in some cases (IDEA-219748) High 2020.1 CVE-2020-11690
JetBrains Account Non-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149) Low 2020.01 CWE-342
JetBrains Account Clickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154) Moderate 2020.01 CWE-1021
JetBrains Account Customer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301) High 2020.03 CWE-200
JetBrains Account Country value coming from a user wasn’t correctly validated (JPF-10258) High 2020.02 CWE-285
JetBrains Account Information disclosure from JetBrains Account was possible via the “Back” button. Reported by Ratnadip Gajbhiye (JPF-10266) Low 2020.02 CWE-200
JetBrains Website Reflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769) High Not applicable CWE-79
Hub Content spoofing at Hub OAuth error message was possible (JPS-10093) Moderate 2020.1.12099 CVE-2020-11691
Plugin Marketplace Uploading malicious file via Screenshots form could cause XSS (MP-2637) Moderate Not applicable CWE-79
PyCharm Apple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217) High 2019.3.3, 2019.2.6 CVE-2020-11694
Space Session timeout period was configured improperly (SPACE-4717) Low Not applicable CVE-2020-11795
Space Stored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556) Moderate Not applicable CVE-2020-11416
Space Password authentication implementation was insecure (SPACE-7282) High Not applicable CVE-2020-11796
TeamCity Password values were shown not being masked on several pages (TW-64186) Low 2019.2.2 CVE-2020-11687
TeamCity Project administrator was able to see scrambled password parameters used in a project (TW-58099) Moderate 2019.2.2 CVE-2020-11938
TeamCity Project administrator was able to retrieve some TeamCity server settings (TW-61626) Low 2019.1.4 CVE-2020-11686
TeamCity Application state kept alive after a user ended their session (TW-61824) Low 2019.2.1 CVE-2020-11688
TeamCity A user without appropriate permissions was able import settings from settings.kts (TW-63698) Low 2019.2.1 CVE-2020-11689
YouTrack DB export was accessible to read-only administrators (JT-56001) Low 2020.1.659 CVE-2020-11692
YouTrack DoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407) High 2020.1.659 CVE-2020-11693

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop