SpringShell Vulnerability in JetBrains Products and Services

What happened

On March 29, 2022, we became aware of the Remote Code Execution vulnerabilities CVE-2022-22963 and CVE-2022-22965 in several libraries of the Spring Framework, which is commonly used in web applications.

Our response

Together with the product teams we ran an audit of JetBrains web applications, including the products: YouTrack, Hub, TeamCity, Space, Datalore, and services: JetBrains Website and JetBrains Account.

None of the applications listed above use vulnerable versions of Spring or they don’t meet known exploitation criteria and are therefore not affected by the discovered security issues. Please refer to the following technical discussions concerning TeamCity, Hub, and YouTrack.

Other JetBrains products, including all IntelliJ Platform IDEs, .NET tools, Toolbox App, Code With Me, JetBrains Gateway, Kotlin, and Ktor are not affected by the issues as they are not web applications using the Spring Framework.

We will continue monitoring any further developments with these vulnerabilities.

We will also continue to test our products and services for security issues resulting from the use of third-party components, and update the versions of any such components as and when appropriate fixes become available. 

Stay safe,

The JetBrains team

image description