JetBrains Security

JetBrains Security Bulletin Q4 2021

In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore Another user’s database could be attached (DL-9779) High Not applicable Not applicable
Hub JetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958) High 2021.1.13890 CVE-2022-24327
Hub An unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976) High 2021.1.13956 CVE-2022-24328
IntelliJ IDEA Code could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917) Medium 2021.2.4 CVE-2022-24345
IntelliJ IDEA Potential LCE via RLO (Right-to-Left Override) characters (IDEA-284150) Medium 2021.3.1 CVE-2022-24346
JetBrains Blog Blind SQL injection. Reported by Khan Janny (BLOG-45) Medium Not applicable Not applicable
Kotlin No ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449) Medium 1.6.0 CVE-2022-24329
Kotlin websites Clickjacking at (KTL-588) Medium Not applicable Not applicable
Remote Development Unexpected open port on backend server. Please refer to this blog post for additional details. Reported by Damian Gwiżdż (GTW-894) High Not 2021.3.1 CVE-2021-45977
Space Missing permission check in an HTTP API response (SPACE-15991) High Not applicable Not applicable
TeamCity A redirect to an external site was possible (TW-71113) Low 2021.2.1 CVE-2022-24330
TeamCity Logout failed to remove the “Remember Me” cookie (TW-72969) Low 2021.2 CVE-2022-24332
TeamCity GitLab authentication impersonation. Reported by Christian Pedersen (TW-73375) High 2021.1.4 CVE-2022-24331
TeamCity The “Agent push” feature allowed any private key on the server to be selected (TW-73399) Low 2021.2.1 CVE-2022-24334
TeamCity Blind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465) Medium 2021.2 CVE-2022-24333
TeamCity Time-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468) High 2021.2 CVE-2022-24335
TeamCity An unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469) Medium 2021.2.1 CVE-2022-24336
TeamCity Pull-requests’ health items were shown to users without appropriate permissions (TW-73516) Low 2021.2 CVE-2022-24337
TeamCity Stored XSS. Reported by Yurii Sanin (TW-73737) Medium 2021.2.1 CVE-2022-24339
TeamCity URL injection leading to CSRF. Reported by Yurii Sanin (TW-73859) Medium 2021.2.1 CVE-2022-24342
TeamCity Changing a password failed to terminate sessions of the edited user (TW-73888) Low 2021.2.1 CVE-2022-24341
TeamCity XXE during the parsing of a configuration file (TW-73932) Medium 2021.2.1 CVE-2022-24340
TeamCity Reflected XSS (TW-74043) Medium 2021.2.1 CVE-2022-24338
TeamCity Stored XSS on the Notification templates page (JT-65752)) Low 2021.4.31698 CVE-2022-24344
YouTrack A custom logo could be set with read-only permissions (JT-66214) Low 2021.4.31698 CVE-2022-24343
YouTrack Stored XSS via project icon. Reported by Yurii Sanin (JT-67176) Medium 2021.4.36872 CVE-2022-24347

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

image description