JetBrains
News
Security
JetBrains Security Bulletin Q2 2021
In the second quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Datalore | Potential JWT token takeover using a redirect misconfiguration. Reported by Yurii Sanin (DL-9225, JPF-11801) | High | Not applicable | Not applicable |
| Datalore | There was no way to drop all active sessions. Reported by Bharat (DL-9247) | High | Not applicable | Not applicable |
| JetBrains Account | OTP could be used several times after a successful validation (JPF-11119) | Low | 2021.04 | Not applicable |
| JetBrains Account | Potential account takeover via OAuth integration. Reported by Bharat (JPF-11802) | High | 2021.06 | Not applicable |
| JetBrains Websites | Reflected XSS on jetbrains.com. Reported by Vasu Solanki (JS-14004) | Low | Not applicable | Not applicable |
| Hub | Potentially insufficient CSP for the Widget deployment feature (JPS-10736) | Low | 2021.1.13262 | CVE-2021-37540 |
| Hub | Account takeover was possible during password reset. Reported by PetrusViet (a member of VNG Security) (JPS-10767) | High | 2021.1.13389 | CVE-2021-36209 |
| Hub | HTML injection in the password reset email was possible. Reported by Bharat (JPS-10797) | Medium | 2021.1.13402 | CVE-2021-37541 |
| RubyMine | Code execution without user confirmation was possible for untrusted projects (RUBY-27702) | Medium | 2021.1.1 | CVE-2021-37543 |
| Space | Deprecated organization-wide package repositories were publicly visible (SPACE-14151) | High | Not applicable | Not applicable |
| TeamCity | Potential XSS (TW-61688) | High | 2020.2.3 | CVE-2021-37542 |
| TeamCity | Insecure deserialization (TW-70057, TW-70080) | High | 2020.2.4 | CVE-2021-37544 |
| TeamCity | Insufficient authentication checks for agent requests (TW-70166) | High | 2021.1.1 | CVE-2021-37545 |
| TeamCity | Insecure key generation for encrypted properties (TW-70201) | Low | 2021.1 | CVE-2021-37546 |
| TeamCity | Insufficient checks while uploading files (TW-70546) | Medium | 2020.2.4 | CVE-2021-37547 |
| TeamCity | Plain-text passwords could sometimes be stored in VCS (TW-71008) | Medium | 2021.1 | CVE-2021-37548 |
| YouTrack | Insufficient sandboxing in workflows (JT-63222, JT-63254) | Critical | 2021.1.11111 | CVE-2021-37549 |
| YouTrack | Time-unsafe comparisons were used (JT-63697) | Low | 2021.2.16363 | CVE-2021-37550 |
| YouTrack | System user passwords were hashed with SHA-256 (JT-63698) | Low | 2021.2.16363 | CVE-2021-37551 |
| YouTrack | An insecure PRNG was used (JT-63699) | Low | 2021.2.16363 | CVE-2021-37553 |
| YouTrack | Reflected XSS on the konnector service in Firefox (JT-63702) | Low | Not applicable | Not applicable |
| YouTrack | Stored XSS (JT-64564) | Medium | 2021.2.17925 | CVE-2021-37552 |
| YouTrack | Users could see boards without having the necessary permissions (JT-64634) | Low | 2021.3.21051 | CVE-2021-37554 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
