JetBrains News Security

JetBrains Security Bulletin Q2 2021

In the second quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore Potential JWT token takeover using a redirect misconfiguration. Reported by Yurii Sanin (DL-9225, JPF-11801) High Not applicable Not applicable
Datalore There was no way to drop all active sessions. Reported by Bharat (DL-9247) High Not applicable Not applicable
JetBrains Account OTP could be used several times after a successful validation (JPF-11119) Low 2021.04 Not applicable
JetBrains Account Potential account takeover via OAuth integration. Reported by Bharat (JPF-11802) High 2021.06 Not applicable
JetBrains Websites Reflected XSS on Reported by Vasu Solanki (JS-14004) Low Not applicable Not applicable
Hub Potentially insufficient CSP for the Widget deployment feature (JPS-10736) Low 2021.1.13262 CVE-2021-37540
Hub Account takeover was possible during password reset. Reported by PetrusViet (a member of VNG Security) (JPS-10767) High 2021.1.13389 CVE-2021-36209
Hub HTML injection in the password reset email was possible. Reported by Bharat (JPS-10797) Medium 2021.1.13402 CVE-2021-37541
RubyMine Code execution without user confirmation was possible for untrusted projects (RUBY-27702) Medium 2021.1.1 CVE-2021-37543
Space Deprecated organization-wide package repositories were publicly visible (SPACE-14151) High Not applicable Not applicable
TeamCity Potential XSS (TW-61688) High 2020.2.3 CVE-2021-37542
TeamCity Insecure deserialization (TW-70057, TW-70080) High 2020.2.4 CVE-2021-37544
TeamCity Insufficient authentication checks for agent requests (TW-70166) High 2021.1.1 CVE-2021-37545
TeamCity Insecure key generation for encrypted properties (TW-70201) Low 2021.1 CVE-2021-37546
TeamCity Insufficient checks while uploading files (TW-70546) Medium 2020.2.4 CVE-2021-37547
TeamCity Plain-text passwords could sometimes be stored in VCS (TW-71008) Medium 2021.1 CVE-2021-37548
YouTrack Insufficient sandboxing in workflows (JT-63222, JT-63254) Critical 2021.1.11111 CVE-2021-37549
YouTrack Time-unsafe comparisons were used (JT-63697) Low 2021.2.16363 CVE-2021-37550
YouTrack System user passwords were hashed with SHA-256 (JT-63698) Low 2021.2.16363 CVE-2021-37551
YouTrack An insecure PRNG was used (JT-63699) Low 2021.2.16363 CVE-2021-37553
YouTrack Reflected XSS on the konnector service in Firefox (JT-63702) Low Not applicable Not applicable
YouTrack Stored XSS (JT-64564) Medium 2021.2.17925 CVE-2021-37552
YouTrack Users could see boards without having the necessary permissions (JT-64634) Low 2021.3.21051 CVE-2021-37554

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

image description