JetBrains Security Bulletin Q1 2020
In the first quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
|Datalore||User’s SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833)||Moderate||Not applicable||CWE-639|
|Datalore||SSRF could be caused by an attached file. Reported by Callum Carney (DL-7836)||High||Not applicable||CWE-918|
|GoLand||Plain HTTP was used to access plugin repository (GO-8694)||Low||2019.3.2||CVE-2020-11685|
|IntelliJ IDEA||License server could be resolved to untrusted host in some cases (IDEA-219748)||High||2020.1||CVE-2020-11690|
|JetBrains Account||Non-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149)||Low||2020.01||CWE-342|
|JetBrains Account||Clickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154)||Moderate||2020.01||CWE-1021|
|JetBrains Account||Customer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301)||High||2020.03||CWE-200|
|JetBrains Account||Country value coming from a user wasn’t correctly validated (JPF-10258)||High||2020.02||CWE-285|
|JetBrains Account||Information disclosure from JetBrains Account was possible via the “Back” button. Reported by Ratnadip Gajbhiye (JPF-10266)||Low||2020.02||CWE-200|
|JetBrains Website||Reflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769)||High||Not applicable||CWE-79|
|Hub||Content spoofing at Hub OAuth error message was possible (JPS-10093)||Moderate||2020.1.12099||CVE-2020-11691|
|Plugin Marketplace||Uploading malicious file via Screenshots form could cause XSS (MP-2637)||Moderate||Not applicable||CWE-79|
|PyCharm||Apple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217)||High||2019.3.3, 2019.2.6||CVE-2020-11694|
|Space||Session timeout period was configured improperly (SPACE-4717)||Low||Not applicable||CVE-2020-11795|
|Space||Stored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556)||Moderate||Not applicable||CVE-2020-11416|
|Space||Password authentication implementation was insecure (SPACE-7282)||High||Not applicable||CVE-2020-11796|
|TeamCity||Password values were shown not being masked on several pages (TW-64186)||Low||2019.2.2||CVE-2020-11687|
|TeamCity||Project administrator was able to see scrambled password parameters used in a project (TW-58099)||Moderate||2019.2.2||CVE-2020-11938|
|TeamCity||Project administrator was able to retrieve some TeamCity server settings (TW-61626)||Low||2019.1.4||CVE-2020-11686|
|TeamCity||Application state kept alive after a user ended their session (TW-61824)||Low||2019.2.1||CVE-2020-11688|
|TeamCity||A user without appropriate permissions was able import settings from settings.kts (TW-63698)||Low||2019.2.1||CVE-2020-11689|
|YouTrack||DB export was accessible to read-only administrators (JT-56001)||Low||2020.1.659||CVE-2020-11692|
|YouTrack||DoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407)||High||2020.1.659||CVE-2020-11693|
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to Blog updates
Thanks, we've got you!
AI Assistant Update – August 2023
AI Assistant is a major new feature of the JetBrains IDE family in the 2023.2 release, offering integration of large language models into the IDE development workflow. The AI Assistant plugin is not bundled with the IDEs and needs to be installed separately from JetBrains Marketplace. One of the pri…
Your Go-To JetBrains Coding Tools Are Ready to Be Updated to 2023.2
We’ve now released the second update of the year for our family of IDEs, including IntelliJ IDEA, WebStorm, PyCharm, DataGrip, GoLand, DataSpell, and other tools included in your All Products Pack subscription. Check out the summaries below and dive deeper to learn more about the products you’re mos…
Remote Development with Coder and JetBrains Gateway
We are pleased to announce that we have joined forces with Coder to provide integration between Coder’s self-hosted cloud development platform and JetBrains Gateway, our remote development solution.
Redocly Brings Enhanced OpenAPI Experience to JetBrains IDEs
Starting from IntelliJ IDEA 2023.2, we have joined forces with Redocly Inc., one of the industry leaders in API documentation solutions. Using Redocly technologies in IntelliJ IDEA, GoLand, PyCharm, PhpStorm, Rider, and WebStorm will help you create clean and functional API docs from which you can r…