FYI
News
Security
JetBrains Security Bulletin Q1 2020
In the first quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Datalore | User’s SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833) | Moderate | Not applicable | CWE-639 |
| Datalore | SSRF could be caused by an attached file. Reported by Callum Carney (DL-7836) | High | Not applicable | CWE-918 |
| GoLand | Plain HTTP was used to access plugin repository (GO-8694) | Low | 2019.3.2 | CVE-2020-11685 |
| IntelliJ IDEA | License server could be resolved to untrusted host in some cases (IDEA-219748) | High | 2020.1 | CVE-2020-11690 |
| JetBrains Account | Non-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149) | Low | 2020.01 | CWE-342 |
| JetBrains Account | Clickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154) | Moderate | 2020.01 | CWE-1021 |
| JetBrains Account | Customer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301) | High | 2020.03 | CWE-200 |
| JetBrains Account | Country value coming from a user wasn’t correctly validated (JPF-10258) | High | 2020.02 | CWE-285 |
| JetBrains Account | Information disclosure from JetBrains Account was possible via the “Back” button. Reported by Ratnadip Gajbhiye (JPF-10266) | Low | 2020.02 | CWE-200 |
| JetBrains Website | Reflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769) | High | Not applicable | CWE-79 |
| Hub | Content spoofing at Hub OAuth error message was possible (JPS-10093) | Moderate | 2020.1.12099 | CVE-2020-11691 |
| Plugin Marketplace | Uploading malicious file via Screenshots form could cause XSS (MP-2637) | Moderate | Not applicable | CWE-79 |
| PyCharm | Apple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217) | High | 2019.3.3, 2019.2.6 | CVE-2020-11694 |
| Space | Session timeout period was configured improperly (SPACE-4717) | Low | Not applicable | CVE-2020-11795 |
| Space | Stored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556) | Moderate | Not applicable | CVE-2020-11416 |
| Space | Password authentication implementation was insecure (SPACE-7282) | High | Not applicable | CVE-2020-11796 |
| TeamCity | Password values were shown not being masked on several pages (TW-64186) | Low | 2019.2.2 | CVE-2020-11687 |
| TeamCity | Project administrator was able to see scrambled password parameters used in a project (TW-58099) | Moderate | 2019.2.2 | CVE-2020-11938 |
| TeamCity | Project administrator was able to retrieve some TeamCity server settings (TW-61626) | Low | 2019.1.4 | CVE-2020-11686 |
| TeamCity | Application state kept alive after a user ended their session (TW-61824) | Low | 2019.2.1 | CVE-2020-11688 |
| TeamCity | A user without appropriate permissions was able import settings from settings.kts (TW-63698) | Low | 2019.2.1 | CVE-2020-11689 |
| YouTrack | DB export was accessible to read-only administrators (JT-56001) | Low | 2020.1.659 | CVE-2020-11692 |
| YouTrack | DoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407) | High | 2020.1.659 | CVE-2020-11693 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
