AppCode
CLion
DataGrip
GoLand
IntelliJ IDEA
MPS
PhpStorm
PyCharm
Rider
RubyMine
WebStorm
Toolbox App
ReSharper
ReSharper C++
dotCover
dotMemory
dotPeek
dotTrace
Space
TeamCity
Upsource
YouTrack
Hub
In the first quarter of 2020, we resolved a number of security issues in our products. Here's a summary report that contains a description of each issue and the version in which it was resolved.
ProductDescriptionSeverityResolved inCVE/CWEDataloreUser's SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833)ModerateNot applicableCWE-639DataloreSSRF could be caused by an attached file. Reported by Callum Carney (DL-7836)HighNot applicableCWE-918GoLandPlain HTTP was used to access plugin repository (GO-8694)Low2019.3.2CVE-2020-11685IntelliJ IDEALicense server could be resolved to untrusted host in some cases (IDEA-219748)High2020.1CVE-2020-11690JetBrains AccountNon-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149)Low2020.01CWE-342JetBrains AccountClickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154)Moderate2020.01CWE-1021JetBrains AccountCustomer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301)High2020.03CWE-200JetBrains AccountCountry value coming from a user wasn't correctly validated (JPF-10258)High2020.02CWE-285JetBrains AccountInformation disclosure from JetBrains Account was possible via the "Back" button. Reported by Ratnadip Gajbhiye (JPF-10266)Low2020.02CWE-200JetBrains WebsiteReflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769)HighNot applicableCWE-79HubContent spoofing at Hub OAuth error message was possible (JPS-10093)Moderate2020.1.12099CVE-2020-11691Plugin MarketplaceUploading malicious file via Screenshots form could cause XSS (MP-2637)ModerateNot applicableCWE-79PyCharmApple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217)High2019.3.3, 2019.2.6CVE-2020-11694SpaceSession timeout period was configured improperly (SPACE-4717)LowNot applicableCVE-2020-11795SpaceStored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556)ModerateNot applicableCVE-2020-11416SpacePassword authentication implementation was insecure (SPACE-7282)HighNot applicableCVE-2020-11796TeamCityPassword values were shown not being masked on several pages (TW-64186)Low2019.2.2CVE-2020-11687TeamCityProject administrator was able to see scrambled password parameters used in a project (TW-58099)Moderate2019.2.2CVE-2020-11938TeamCityProject administrator was able to retrieve some TeamCity server settings (TW-61626)Low2019.1.4CVE-2020-11686TeamCityApplication state kept alive after a user ended their session (TW-61824)Low2019.2.1CVE-2020-11688TeamCityA user without appropriate permissions was able import settings from settings.kts (TW-63698)Low2019.2.1CVE-2020-11689YouTrackDB export was accessible to read-only administrators (JT-56001)Low2020.1.659CVE-2020-11692YouTrackDoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407)High2020.1.659CVE-2020-11693
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains TeamThe Drive to Develop
