JetBrains Security Bulletin Q2 2021
In the second quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
|Datalore||Potential JWT token takeover using a redirect misconfiguration. Reported by Yurii Sanin (DL-9225, JPF-11801)||High||Not applicable||Not applicable|
|Datalore||There was no way to drop all active sessions. Reported by Bharat (DL-9247)||High||Not applicable||Not applicable|
|JetBrains Account||OTP could be used several times after a successful validation (JPF-11119)||Low||2021.04||Not applicable|
|JetBrains Account||Potential account takeover via OAuth integration. Reported by Bharat (JPF-11802)||High||2021.06||Not applicable|
|JetBrains Websites||Reflected XSS on jetbrains.com. Reported by Vasu Solanki (JS-14004)||Low||Not applicable||Not applicable|
|Hub||Potentially insufficient CSP for the Widget deployment feature (JPS-10736)||Low||2021.1.13262||CVE-2021-37540|
|Hub||Account takeover was possible during password reset. Reported by PetrusViet (a member of VNG Security) (JPS-10767)||High||2021.1.13389||CVE-2021-36209|
|Hub||HTML injection in the password reset email was possible. Reported by Bharat (JPS-10797)||Medium||2021.1.13402||CVE-2021-37541|
|RubyMine||Code execution without user confirmation was possible for untrusted projects (RUBY-27702)||Medium||2021.1.1||CVE-2021-37543|
|Space||Deprecated organization-wide package repositories were publicly visible (SPACE-14151)||High||Not applicable||Not applicable|
|TeamCity||Potential XSS (TW-61688)||High||2020.2.3||CVE-2021-37542|
|TeamCity||Insecure deserialization (TW-70057, TW-70080)||High||2020.2.4||CVE-2021-37544|
|TeamCity||Insufficient authentication checks for agent requests (TW-70166)||High||2021.1.1||CVE-2021-37545|
|TeamCity||Insecure key generation for encrypted properties (TW-70201)||Low||2021.1||CVE-2021-37546|
|TeamCity||Insufficient checks while uploading files (TW-70546)||Medium||2020.2.4||CVE-2021-37547|
|TeamCity||Plain-text passwords could sometimes be stored in VCS (TW-71008)||Medium||2021.1||CVE-2021-37548|
|YouTrack||Insufficient sandboxing in workflows (JT-63222, JT-63254)||Critical||2021.1.11111||CVE-2021-37549|
|YouTrack||Time-unsafe comparisons were used (JT-63697)||Low||2021.2.16363||CVE-2021-37550|
|YouTrack||System user passwords were hashed with SHA-256 (JT-63698)||Low||2021.2.16363||CVE-2021-37551|
|YouTrack||An insecure PRNG was used (JT-63699)||Low||2021.2.16363||CVE-2021-37553|
|YouTrack||Reflected XSS on the konnector service in Firefox (JT-63702)||Low||Not applicable||Not applicable|
|YouTrack||Stored XSS (JT-64564)||Medium||2021.2.17925||CVE-2021-37552|
|YouTrack||Users could see boards without having the necessary permissions (JT-64634)||Low||2021.3.21051||CVE-2021-37554|
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to Blog updates
Thanks, we've got you!
AI Assistant Update – August 2023
AI Assistant is a major new feature of the JetBrains IDE family in the 2023.2 release, offering integration of large language models into the IDE development workflow. The AI Assistant plugin is not bundled with the IDEs and needs to be installed separately from JetBrains Marketplace. One of the pri…
Your Go-To JetBrains Coding Tools Are Ready to Be Updated to 2023.2
We’ve now released the second update of the year for our family of IDEs, including IntelliJ IDEA, WebStorm, PyCharm, DataGrip, GoLand, DataSpell, and other tools included in your All Products Pack subscription. Check out the summaries below and dive deeper to learn more about the products you’re mos…
Remote Development with Coder and JetBrains Gateway
We are pleased to announce that we have joined forces with Coder to provide integration between Coder’s self-hosted cloud development platform and JetBrains Gateway, our remote development solution.
Redocly Brings Enhanced OpenAPI Experience to JetBrains IDEs
Starting from IntelliJ IDEA 2023.2, we have joined forces with Redocly Inc., one of the industry leaders in API documentation solutions. Using Redocly technologies in IntelliJ IDEA, GoLand, PyCharm, PhpStorm, Rider, and WebStorm will help you create clean and functional API docs from which you can r…