JetBrains News Security

JetBrains Security Bulletin Q4 2020

In the fourth quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Code With Me An attacker in the local network knowing the session ID could get access to the encrypted traffic. Reported by Grigorii Liullin (CWM-1067) Low 2020.3 CVE-2021-25755
Datalore Server components versions were disclosed (DL-8327, DL-8335) Low Not applicable CWE-200
Exception Analyzer Information disclosure via the Exception Analyzer (SDP-1248) Low Not applicable CWE-200
IntelliJ IDEA HTTP links were used for several remote repositories (IDEA-228726) Low 2020.2 CVE-2021-25756
IntelliJ IDEA Potentially insecure deserialization of the workspace model (IDEA-253582) Low 2020.3 CVE-2021-25758
JetBrains Account Authorization token was sent as a query parameter within Zendesk integration (JPF-10508) Low 2020.11 CWE-598
JetBrains Account Open-redirect was possible (JPF-10660) Low 2020.10 CWE-601
JetBrains Websites Cross-origin resource sharing was possible. Reported by Ashhad Ali (SDP-1193) Low Not applicable CWE-942
JetBrains Websites Throttling was not used for a particular endpoint. Reported by Ashhad Ali (SDP-1197) Low Not applicable CWE-799
JetBrains Websites Clickjacking was possible. Reported by Ashhad Ali (SDP-1203) Low Not applicable CWE-1021
Hub Open-redirect was possible. Reported by Mohammed Amine El Attar (JPS-10348) Medium 2020.1.12629 CVE-2021-25757
Hub An authorized user could delete the 2FA settings of any other user (JPS-10410) Medium 2020.1.12629 CVE-2021-25759
Hub Information disclosure via public API (JPS-10481) Low 2020.1.12669 CVE-2021-25760
Kotlin A vulnerable Java API was used for creating temporary files and folders, which could make temporary files available for other users of a system. Reported by Jonathan Leitschuh (KT-42181) Low 1.4.21 CVE-2020-29582
Ktor Birthday attack on SessionStorage key was possible. Reported by Kenta Koyama (KTOR-878) Low 1.5.0 CVE-2021-25761
Ktor Weak cipher suites were enabled by default. Reported by Johannes Ulfkjær Jensen (KTOR-895) Low 1.4.2 CVE-2021-25763
Ktor HTTP Request Smuggling was possible. Reported by ZeddYu Lu, Kaiwen Shen, and Yaru Yang (KTOR-1116) Low 1.4.3 CVE-2021-25762
PhpStorm Source code could be added to debug logs (WI-54619) Low 2020.3 CVE-2021-25764
YouTrack CSRF via attachment upload. Reported by Yurii Sanin (JT-58157) Medium 2020.4.4701 CVE-2021-25765
YouTrack Users enumeration via the REST API without the appropriate permissions (JT-59396, JT-59498) Low 2020.4.4701 CVE-2020-25208
YouTrack Improper resource access checks (JT-59397) Low 2020.4.4701 CVE-2021-25766
YouTrack Issue’s existence disclosure via the YouTrack command execution (JT-59663) Low 2020.6.1767 CVE-2021-25767
YouTrack Improper permissions checks for attachment actions (JT-59900) Low 2020.4.4701 CVE-2021-25768
YouTrack Improper permissions checks for attachment actions (JT-59900) Low 2020.4.4701 CVE-2021-25768
YouTrack YouTrack admin wasn’t able to access attachments (JT-60824) Low 2020.4.6808 CVE-2021-25769
YouTrack Server-side template injection in YouTrack InCloud. Reported by Vasily Vasilkov (JT-61449) High 2020.5.3123 CVE-2021-25770
YouTrack Project information disclosure (JT-61566) Low 2020.6.1099 CVE-2021-25771
Space Potential information disclosure via logs (SPACE-9343, SPACE-10969) Low Not applicable CWE-532
Space An attacker could obtain limited information via SSRF while testing the connection to a mirrored repository (SPACE-9514) High Not applicable CWE-918
Space Content-Type header wasn’t set for some pages (SPACE-12004) Low Not applicable CWE-531
Space A REST API endpoint was available without an appropriate permissions check, which could introduce a potential DOS vector (no real exploit available). (SPACE-12288) Low Not applicable CWE-732
TeamCity Reflected XSS on several pages (TW-67424, TW-68098) Medium 2020.2 CVE-2021-25773
TeamCity TeamCity server DoS was possible via server integration (TW-68406, TW-68780) Low 2020.2 CVE-2021-25772
TeamCity ECR token exposure in the build’s parameters (TW-68515) Medium 2020.2 CVE-2021-25776
TeamCity A user could get access to the GitHub access token of another user (TW-68646) Low 2020.2.1 CVE-2021-25774
TeamCity Server admin could create and see access tokens for any other users (TW-68862) Low 2020.2.1 CVE-2021-25775
TeamCity Improper permissions checks during user deletion (TW-68864) Low 2020.2.1 CVE-2021-25778
TeamCity Improper permissions checks during tokens removal (TW-68871) Low 2020.2.1 CVE-2021-25777
TeamCity TeamCity Plugin SSRF. Vulnerability that could potentially expose user credentials. Reported by Jonathan Leitschuh (TW-69068) High 2020.2.85695 CVE-2020-35667

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop