JetBrains Security Bulletin Q2 2020

Posted on by Robert Demmer

In the second quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore Stack trace disclosure. (DL-7350) Low Not applicable CWE-536
Datalore Reverse tabnabbing was possible. (DL-7708) Low Not applicable CWE-1022
JetBrains Account Throttling for reset password functionality was missing if 2FA was enabled. Reported by Manu Pranav. (JPF-10527) Medium 2020.06 CWE-799
JetBrains Website Stack trace disclosure in case of an incorrect character in request. (JS-12490) Low Not applicable CWE-536
JetBrains Website Reflected XSS on jetbrains.com subdomain. Reported by Ritik Chaddha. (JS-12562) Low Not applicable CWE-79
JetBrains Website Open-redirect issues on kotlinconf.com. Reported by Ritik Chaddha. (JS-12581) Low Not applicable CWE-601
JetBrains Website Clickjacking was possible on a non-existent page. Reported by Pravas Ranjan Kanungo. (JS-12835) Low Not applicable CWE-1021
YouTrack Subtasks workflow could disclose the existence of an issue. (JT-45316) Low 2020.2.8527 CVE-2020-15818
YouTrack An external user could execute commands against arbitrary issues. (JT-56848) High 2020.1.1331 CVE-2020-15817
YouTrack SSRF vulnerability that allowed scanning internal ports. Reported by Evren Yalçın. (JT-56917) Low 2020.2.10643 CVE-2020-15819
YouTrack It was possible to change a redirect from any existing YouTrack InCloud instance to another instance. (JT-57036) Medium 2020.1.3588 CWE-601
YouTrack The markdown parser could disclose the existence of a hidden file. (JT-57235) Low 2020.2.6881 CVE-2020-15820
YouTrack A user without the appropriate permissions could create an article draft. (JT-57649) Medium 2020.2.6881 CVE-2020-15821
YouTrack The AWS metadata of a YouTrack InCloud instance was disclosed via SSRF in a workflow. Reported by Yurii Sanin. (JT-57964) High 2020.2.8873 CVE-2020-15823
YouTrack SSRF was possible because URL filtering could be escaped. Reported by Yurii Sanin. (JT-58204) Low 2020.2.10514 CVE-2020-15822
Kotlin Script cache privilege escalation vulnerability. Reported by Henrik Tunedal. (KT-38222) Medium 1.4.0 CVE-2020-15824
Space Draft title was disclosed to a user without access to the draft. (SPACE-5594) Low Not applicable CWE-200
Space A missing authorization check caused privilege escalation. Reported by Callum Carney. (SPACE-8034) High Not applicable CWE-266
Space Blind SSRF via calendar import. Reported by Yurii Sanin. (SPACE-8273) Medium Not applicable CWE-918
Space Drafts of direct messages sent from the iOS app could be sent to the channel. (SPACE-8377) Low Not applicable CWE-200
Space Chat messages were propagated to the browser console. (SPACE-8386) High Not applicable CWE-215
Space Missing authentication checks in Space Automation. (SPACE-8431) Critical Not applicable CWE-306
Space Missing authentication checks in Job-related API. (SPACE-8822) Low Not applicable CWE-306
Space Incorrect checks of public key content. (SPACE-9169) Medium Not applicable CWE-287
Space Stored XSS via repository resource. (SPACE-9277) High Not applicable CWE-79
Toolbox App Missing signature on “jetbrains-toolbox.exe”. (TBX-4671) Low 1.17.6856 CVE-2020-15827
TeamCity Users were able to assign more permissions than they had. (TW-36158) Low 2020.1 CVE-2020-15826
TeamCity Users with the “Modify group” permission could elevate other users’ privileges. (TW-58858) Medium 2020.1 CVE-2020-15825
TeamCity Password parameters could be disclosed via build logs. (TW-64484) Low 2019.2.3 CVE-2020-15829
TeamCity Project parameter values could be retrieved by a user without the appropriate permissions. (TW-64587) High 2020.1.1 CVE-2020-15828
TeamCity Reflected XSS on administration UI. (TW-64668) High 2019.2.3 CVE-2020-15831
TeamCity Stored XSS on administration UI. (TW-64699) High 2019.2.3 CVE-2020-15830
Upsource Unauthorized access was possible through an error in accounts linking. (SDP-940) Low 2020.1 CVE-2019-19704

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop