SpringShell Vulnerability in JetBrains Products and Services
On March 29, 2022, we became aware of the Remote Code Execution vulnerabilities CVE-2022-22963 and CVE-2022-22965 in several libraries of the Spring Framework, which is commonly used in web applications.
None of the applications listed above use vulnerable versions of Spring or they don’t meet known exploitation criteria and are therefore not affected by the discovered security issues. Please refer to the following technical discussions concerning TeamCity, Hub, and YouTrack.
Other JetBrains products, including all IntelliJ Platform IDEs, .NET tools, Toolbox App, Code With Me, JetBrains Gateway, Kotlin, and Ktor are not affected by the issues as they are not web applications using the Spring Framework.
We will continue monitoring any further developments with these vulnerabilities.
We will also continue to test our products and services for security issues resulting from the use of third-party components, and update the versions of any such components as and when appropriate fixes become available.
The JetBrains team
Subscribe to Blog updates
Thanks, we've got you!
Security Bulletin Changes
For the last several years, we have published the JetBrains Security Bulletin on our blog and sent emails to Bulletin subscribers quarterly. However, this approach created an unwanted delay between the release of new versions and the publication of information about vulnerabilities. We also receive a lot of questions about vulnerable product versions from our customers.