www.jetbrains.com Open in urlscan Pro
13.32.27.60  Public Scan

URL: https://www.jetbrains.com/privacy-security/issues-fixed/
Submission: On December 29 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Developer Tools

IDES

AppCode
Aqua

CLion
DataGrip
DataSpell
Fleet
GoLand
IntelliJ IDEA
PhpStorm
PyCharm
Rider
RubyMine
WebStorm

PLUGINS & SERVICES

All Plugins
IDE Themes
Big Data Tools
Code With Me
QA Tools
RiderFlow
Rust
Scala
Toolbox App
Toolbox Enterprise

.NET & VISUAL STUDIO

Rider
ReSharper
ReSharper C++
dotCover
dotMemory
dotPeek
dotTrace
.NET Tools Plugins

LANGUAGES & FRAMEWORKS

Kotlin
Ktor
MPS
Compose Multiplatform

NOT SURE WHICH TOOL IS BEST FOR YOU?

Whichever technologies you use, there's a JetBrains tool to match

Find your tool


SPACE

A complete software development platform


FLEET

Next-generation IDE by JetBrains

Team Tools

IN-CLOUD AND ON-PREMISES SOLUTIONS

DataloreA collaborative data science platform
SpaceA complete software development platform
TeamCityPowerful Continuous Integration out of the box
YouTrackPowerful project management for all your teams
QodanaThe code quality platform for your favorite CI

EXTENSIONS

TeamCity Plugins
YouTrack Extensions
JetBrains Hub


DATALORE

A collaborative data science platform. Available online and on-premises


YOUTRACK

Powerful project management for all your teams

Learning Tools

EDUCATIONAL PRODUCTS

JetBrains AcademyA hands-on learning platform integrated with JetBrains IDEs
PyCharm for EducationA free IDE for learning and teaching programming with
Python
IntelliJ IDEA for EducationA free IDE for learning and teaching programming with
Java, Kotlin, and Scala
EduTools pluginA plugin that adds educational functionality to your JetBrains
IDE

FREE LICENSES

For Students and TeachersJetBrains IDEs for individual academic use
For Educational InstitutionsJetBrains IDEs and team tools for classrooms
For Courses and BootcampsJetBrains IDEs for your students

OPPORTUNITIES

Kotlin for Education
University Relations
Internships


JETBRAINS ACADEMY FOR ORGANIZATIONS

Empower your institution by cultivating the motivation to learn

Solutions

BY INDUSTRY & TECHNOLOGY

Remote DevelopmentTools for remote development for you and your team
Game DevelopmentTools for game development for any platform
DevOpsTools and integrations for any infrastructure
Quality AssuranceTools for Quality Assurance and Test Automation
C++ ToolsTools for C/C++ development for any platform
Data ToolsTools for Big Data and Data Science
Software DevelopmentAll-in-one solution for software projects and teams
License VaultEfficient management of JetBrains licenses

RECOMMENDED

All Products Pack
.NET Tools
JetBrains for Education
All JetBrains Products
JetBrains Marketplace


DEVELOPER TOOLS FOR YOUR BUSINESS

Professional tools for productive development


REMOTE DEVELOPMENT

Connect to remote dev environments from anywhere in seconds

Support

PRODUCT & TECHNICAL SUPPORT

Support Center
Product Documentation
Webinars
Early Access
Blog

FREQUENT TASKS

Manage your account
Manage your licenses
Contact Sales
Licensing FAQ


DOWNLOAD AND INSTALL


CONTACT US

Store

DEVELOPER TOOLS

For Individual Use
For Teams and Organizations
Special offers & programs

SERVICES & PLUGINS

Marketplace

LEARNING TOOLS

JetBrains Academy

TEAM TOOLS

Space
TeamCity
YouTrack
Datalore

COLLABORATIVE DEVELOPMENT

Code With Me

SALES SUPPORT

Contact Sales
Purchase Terms
FAQ
Partners and Resellers


ALL PRODUCTS PACK

Get all JetBrains desktop tools including 10 IDEs,
2 profilers, and 3 extensions


THE TOTAL ECONOMIC IMPACT™ OF INTELLIJ IDEA STUDY

Commissioned TEI research conducted by Forrester Consulting


Developer Tools

IDES

AppCode
Aqua

CLion
DataGrip
DataSpell
Fleet
GoLand
IntelliJ IDEA
PhpStorm
PyCharm
Rider
RubyMine
WebStorm

PLUGINS & SERVICES

All Plugins
IDE Themes
Big Data Tools
Code With Me
QA Tools
RiderFlow
Rust
Scala
Toolbox App
Toolbox Enterprise

.NET & VISUAL STUDIO

Rider
ReSharper
ReSharper C++
dotCover
dotMemory
dotPeek
dotTrace
.NET Tools Plugins

LANGUAGES & FRAMEWORKS

Kotlin
Ktor
MPS
Compose Multiplatform

NOT SURE WHICH TOOL IS BEST FOR YOU?

Whichever technologies you use, there's a JetBrains tool to match

Find your tool


SPACE

A complete software development platform


FLEET

Next-generation IDE by JetBrains

Team Tools

IN-CLOUD AND ON-PREMISES SOLUTIONS

DataloreA collaborative data science platform
SpaceA complete software development platform
TeamCityPowerful Continuous Integration out of the box
YouTrackPowerful project management for all your teams
QodanaThe code quality platform for your favorite CI

EXTENSIONS

TeamCity Plugins
YouTrack Extensions
JetBrains Hub


DATALORE

A collaborative data science platform. Available online and on-premises


YOUTRACK

Powerful project management for all your teams

Learning Tools

EDUCATIONAL PRODUCTS

JetBrains AcademyA hands-on learning platform integrated with JetBrains IDEs
PyCharm for EducationA free IDE for learning and teaching programming with
Python
IntelliJ IDEA for EducationA free IDE for learning and teaching programming with
Java, Kotlin, and Scala
EduTools pluginA plugin that adds educational functionality to your JetBrains
IDE

FREE LICENSES

For Students and TeachersJetBrains IDEs for individual academic use
For Educational InstitutionsJetBrains IDEs and team tools for classrooms
For Courses and BootcampsJetBrains IDEs for your students

OPPORTUNITIES

Kotlin for Education
University Relations
Internships


JETBRAINS ACADEMY FOR ORGANIZATIONS

Empower your institution by cultivating the motivation to learn

Solutions

BY INDUSTRY & TECHNOLOGY

Remote DevelopmentTools for remote development for you and your team
Game DevelopmentTools for game development for any platform
DevOpsTools and integrations for any infrastructure
Quality AssuranceTools for Quality Assurance and Test Automation
C++ ToolsTools for C/C++ development for any platform
Data ToolsTools for Big Data and Data Science
Software DevelopmentAll-in-one solution for software projects and teams
License VaultEfficient management of JetBrains licenses

RECOMMENDED

All Products Pack
.NET Tools
JetBrains for Education
All JetBrains Products
JetBrains Marketplace


DEVELOPER TOOLS FOR YOUR BUSINESS

Professional tools for productive development


REMOTE DEVELOPMENT

Connect to remote dev environments from anywhere in seconds

Support

PRODUCT & TECHNICAL SUPPORT

Support Center
Product Documentation
Webinars
Early Access
Blog

FREQUENT TASKS

Manage your account
Manage your licenses
Contact Sales
Licensing FAQ


DOWNLOAD AND INSTALL


CONTACT US

Store

DEVELOPER TOOLS

For Individual Use
For Teams and Organizations
Special offers & programs

SERVICES & PLUGINS

Marketplace

LEARNING TOOLS

JetBrains Academy

TEAM TOOLS

Space
TeamCity
YouTrack
Datalore

COLLABORATIVE DEVELOPMENT

Code With Me

SALES SUPPORT

Contact Sales
Purchase Terms
FAQ
Partners and Resellers


ALL PRODUCTS PACK

Get all JetBrains desktop tools including 10 IDEs,
2 profilers, and 3 extensions


THE TOTAL ECONOMIC IMPACT™ OF INTELLIJ IDEA STUDY

Commissioned TEI research conducted by Forrester Consulting

Login



FIXED SECURITY ISSUES

This page contains information about resolved security issues, including
description, severity, assigned CVEs, and the product versions in which they
were resolved.

ProductDescriptionSeverityResolved InCWECVEIntelliJ IDEAThe "Validate JSP File"
action used the HTTP protocol to download required JAR files
(IDEA-305732)Medium2022.3.1CWE-319CVE-2022-47895IntelliJ IDEACode Templates were
vulnerable to SSTI attacks. Reported by Krypton
(IDEA-306345)Medium2022.3.1CWE-1336CVE-2022-47896SpaceThe second authentication
factor wasn't checked during the password reset. Reported by Bharat
(SPACE-15087)MediumNot applicableCWE-304Not applicableIntelliJ IDEAA buffer
overflow in the fsnotifier daemon on macOS was possible
(IDEA-302494)Medium2022.2.4CWE-120CVE-2022-46824IntelliJ IDEAThe built-in web
server leaked information about open projects
(IDEA-297741)Medium2022.3CWE-200CVE-2022-46825IntelliJ IDEAThe built-in web
server allowed an arbitrary file to be read by exploiting a path traversal
vulnerability (IDEA-304713)Medium2022.3CWE-35CVE-2022-46826IntelliJ IDEAAn XXE
attack leading to SSRF via requests to custom plugin repositories was possible
(IDEA-302855)Low2022.3CWE-611CVE-2022-46827IntelliJ IDEAA DYLIB injection on
macOS was possible. Independently reported by Anthony Viriya and Kang Ali
(IDEA-298179)Medium2022.3CWE-691CVE-2022-46828JetBrains GatewayA client could
connect without a valid token if the host consented
(GTW-1786)High2022.3CWE-287CVE-2022-46829SpaceProfiles were improperly added to
random projects, including restricted onesMediumNot applicableCWE-668Not
applicableTeamCityA custom STS endpoint allowed internal port scanning
(TW-78415)Medium2022.10.1CWE-918CVE-2022-46830TeamCityConnecting to AWS using
the "Default Credential Provider Chain" allowed TeamCity project administrators
to access AWS resources normally limited to TeamCity system administrators
(TW-78416)Medium2022.10.1CWE-453CVE-2022-46831HubThrottling was missed when
sending emails to a particular email address. Reported by Keroles Magdy
(HUB-11260)Low2022.3.15181CWE-770CVE-2022-45471TeamCity CloudEBS storage objects
were not encrypted (TCC-175)LowNot applicableCWE-311Not applicableTeamCity
CloudPasswords for agent user accounts built from the same image were not
randomized (TCC-188)MediumNot applicableCWE-331Not applicableTeamCityExcessive
access permissions for secure token health items
(TW-73518)Low2022.10CWE-284CVE-2022-44622TeamCityProject Viewer could see
scrambled secure values in the MetaRunner settings
(TW-76796)Medium2022.10CWE-538CVE-2022-44623TeamCityPassword parameters could be
exposed in the build log if they contained special characters
(TW-77048)Medium2022.10CWE-532CVE-2022-44624TeamCityNo audit items were added
upon editing a user's settings
(TW-75537)Low2022.10CWE-223CVE-2022-44646JetBrains AccountThrottling was missed
on some pages. Reported by Manthan Mahale (JPF-13346)Low2022.09CWE-770Not
applicableTeamCityEnvironmental variables of "password" type could be logged
when using custom Perforce executable. Reported by Pierre Hosteins and Yvan
Serykh (TW-77474)Medium2022.04.4CWE-532CVE-2022-40979JetBrains WebsiteOpen
redirect on jetbrains.com.cn. Reported by Koutrouss Naddara (JS-17099)MediumNot
applicableCWE-601Not applicableIntelliJ IDEAThe installer was vulnerable to EXE
search order hijacking. Reported by Dmitry Zemlyakov
(IDEA-295424)High2022.2.2CWE-427CVE-2022-40978JetBrains WebsiteThe JetBrains
blog was vulnerable to CSS injection (JS-16353)LowNot applicableCWE-79Not
applicableKtorKtor was vulnerable to the Reflect File Download attack. Reported
by Motoyasu Saburi (KTOR-4669, Pull
Request)Medium2.1.0CWE-184CVE-2022-38179KtorThe wrong authentication provider
could be selected in some cases. Reported by Andrew Bryan (KTOR-4618, Pull
Request)Medium2.1.0CWE-287CVE-2022-38180TeamCityThe private SSH key could be
written to the server log in some cases
(TW-76758)Low2022.04.3CWE-532CVE-2022-38133RiderTrust and Open Project dialog
bypass, leading to local code execution (RIDER-74325,
RIDER-74328)Medium2022.2CWE-94CVE-2022-37396IntelliJ IDEALocal code execution
was possible via a Vagrant executable
(IDEA-288325)Low2022.2CWE-94CVE-2022-37009IntelliJ IDEAMissing email address
validation in the "Git User Name Is Not Defined" dialog. Reported by Carolos
Foscolos (IDEA-291960)Low2022.2CWE-20CVE-2022-37010TeamCityThe private SSH key
could be written to the build log in some cases
(TW-76651)Medium2022.04.2CWE-532CVE-2022-36321TeamCityBuild parameter injection
was possible. Reported by Micky Sung
(TW-76356)Medium2022.04.2CWE-88CVE-2022-36322HubInsufficient access control
allowed the hijacking of untrusted services in Hub. Reported by Yurii Sanin
(HUB-10771)Low2022.2.14799CWE-284CVE-2022-34894JetBrains WebsitePotential XSS
via Origin header. Reported by Nidhin Sabu (JPF-13063)LowNot applicableCWE-79Not
applicableKtorSHA1 implementation in Ktor Native was returning the same value
(KTOR-4217, Pull Request)High2.0.1CWE-342CVE-2022-29930TeamCityReflected XSS on
the Build Chain Status page
(TW-75231)Medium2022.04CWE-79CVE-2022-29927TeamCityPossible leak of secrets in
TeamCity agent logs (TW-74263,
TW-68807)Medium2022.04CWE-532CVE-2022-29928TeamCityPotential XSS via Referrer
header (TW-75605)Low2022.04CWE-79CVE-2022-29929HubStored XSS via project icon.
Reported by Julian Muñoz
(HUB-11155)Medium2022.1.14638CWE-79CVE-2022-29811IntelliJ IDEAInsufficient
notification about using Unicode directionality formatting characters
(IDEA-284151)Low2022.1CWE-176CVE-2022-29812IntelliJ IDEALocal code execution via
custom Pandoc path (IDEA-288269)Medium2022.1CWE-94CVE-2022-29813IntelliJ
IDEALocal code execution via HTML descriptions in custom JSON schemas
(IDEA-283967)Medium2022.1CWE-94CVE-2022-29814IntelliJ IDEALocal code execution
via workspace settings (IDEA-283824,
IDEA-283968)Medium2022.1CWE-94CVE-2022-29815IntelliJ IDEAHTML injection into IDE
messages (IDEA-287428)Low2022.1CWE-74CVE-2022-29816IntelliJ IDEAReflected XSS
via error messages in internal web server
(IDEA-283994)Low2022.1CWE-79CVE-2022-29817IntelliJ IDEAFlawed origin checks in
the internal web server (IDEA-283586)Low2022.1CWE-346CVE-2022-29818IntelliJ
IDEALocal code execution via links in Quick Documentation
(IDEA-289398)Medium2022.1CWE-94CVE-2022-29819PyCharmExposure of the debugger
port to the internal network (PY-52288)Low2022.1CWE-1327CVE-2022-29820RiderLocal
code execution via links in ReSharper Quick Documentation
(RIDER-74099)Medium2022.1CWE-94CVE-2022-29821TeamCity CloudPotential disclosure
of built-in OAuth2 connectors' secrets. Reported by Yurii Sanin (TCC-346)HighNot
applicableCWE-522Not applicableTeamCity CloudSession takeover via OAuth client
manipulation. Reported by Yurii Sanin (TCC-347, TCC-349, TCC-351)HighNot
applicableCWE-345Not applicableTeamCity CloudSession takeover using open
redirect misconfiguration. Reported by Yurii Sanin (TCC-348)HighNot
applicableCWE-601Not applicableTeamCity CloudVCS credentials disclosure via
repository URL manipulation. Reported by Yurii Sanin (TCC-355, TCC-358)MediumNot
applicableCWE-522Not applicableKtorRandom values used for nonce generation in
Ktor Native weren't using SecureRandom implementations. Reported by Dan Wallach
(KTOR-3656, Pull Request)Low2.0.0CWE-330CVE-2022-29035JetBrains AccountIt was
possible to take over accounts linked to outlook.* email addresses via GitHub
SSO. Reported by Adrian Weber (JPF-12877)Critical2022.04CWE-697Not
applicableIntelliJ IDEAIt was possible to get passwords from protected fields
(IDEA-289085)High2021.3.3CWE-497CVE-2022-28651YouTrackHTML code from the issue
description was being rendered
(JT-58282)Medium2022.1.43563CWE-80CVE-2022-28648YouTrackIt was possible to
include an iframe from a third-party domain in the issue description
(JT-68626)Medium2022.1.43563CWE-1021CVE-2022-28649YouTrackIt was possible to
inject JavaScript into Markdown in the YouTrack Classic UI
(JT-68622)High2022.1.43700CWE-79CVE-2022-28650HubBlind Server-Side Request
Forgery (SSRF). Reported by Yurii Sanin
(HUB-11052)Medium2021.1.14276CWE-918CVE-2022-25260HubReflected XSS. Reported by
Yurii Sanin (HUB-10971)Medium2021.1.14276CWE-79CVE-2022-25259HubSAML request
takeover. Reported by Yurii Sanin
(HUB-10978)High2022.1.14434CWE-345CVE-2022-25262JetBrains BlogReflected XSS via
tag parameter (BLOG-55)MediumNot applicableCWE-79Not applicableJetBrains
MarketplaceStored XSS via plugin fields (MP-4190, MP-4191, MP-4192, MP-4196,
MP-4201)MediumNot applicableCWE-79Not applicableKotlin WebsiteClickjacking at
talkingkotlin.com (KTL-84)LowNot applicableCWE-1021Not
applicableTeamCityReflected XSS
(TW-74044)Medium2021.2.2CWE-79CVE-2022-25261TeamCityOS command injection in the
Agent Push feature configuration. Reported by Cristian Chavez
(TW-74822)High2021.2.3CWE-78CVE-2022-25263TeamCityEnvironmental variables of
"password" type could be logged in some cases
(TW-74625)Medium2021.2.3CWE-532CVE-2022-25264YouTrackSSTI via FreeMarker
templates. Reported by Matei "Mal" Badanoiu
(JT-68075)High2021.4.40426CWE-1336CVE-2022-24442DataloreAnother user’s database
could be attached (DL-9779)HighNot applicableCWE-284Not applicableHubJetBrains
Account integration exposed API keys with excessive permissions. Reported by
Yurii Sanin (HUB-10958)High2021.1.13890CWE-732CVE-2022-24327HubAn unprivileged
user could perform a DoS. Reported by Yurii Sanin
(HUB-10976)High2021.1.13956CWE-74CVE-2022-24328IntelliJ IDEACode could be
executed without the user’s permission on opening a project (IDEA-243002,
IDEA-277306, IDEA-282396,
IDEA-275917)Medium2021.2.4CWE-345CVE-2022-24345IntelliJ IDEAPotential LCE via
RLO (Right-to-Left Override) characters
(IDEA-284150)Medium2021.3.1CWE-176CVE-2022-24346JetBrains BlogBlind SQL
injection. Reported by Khan Janny (BLOG-45)MediumNot applicableCWE-89Not
applicableKotlinNo ability to lock dependencies for Kotlin Multiplatform Gradle
projects. Reported by Carter Jernigan
(KT-49449)Medium1.6.0CWE-667CVE-2022-24329Kotlin WebsiteClickjacking at
kotlinlang.org (KTL-588)MediumNot applicableCWE-1021Not applicableRemote
DevelopmentUnexpected open port on backend server. Reported by Damian Gwiżdż
(GTW-894)High2021.3.1CWE-1327CVE-2021-45977SpaceMissing permission check in an
HTTP API response (SPACE-15991)HighNot applicableCWE-284Not applicableTeamCityA
redirect to an external site was possible
(TW-71113)Low2021.2.1CWE-601CVE-2022-24330TeamCityLogout failed to remove the
"Remember Me" cookie (TW-72969)Low2021.2CWE-613CVE-2022-24332TeamCityGitLab
authentication impersonation. Reported by Christian Pedersen
(TW-73375)High2021.1.4CWE-285CVE-2022-24331TeamCityThe "Agent push" feature
allowed any private key on the server to be selected
(TW-73399)Low2021.2.1CWE-284CVE-2022-24334TeamCityBlind SSRF via an XML-RPC
call. Reported by Artem Godin
(TW-73465)Medium2021.2CWE-918CVE-2022-24333TeamCityTime-of-check/Time-of-use
(TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem
Godin (TW-73468)High2021.2CWE-367CVE-2022-24335TeamCityAn unauthenticated
attacker could cancel running builds via an XML-RPC request to the TeamCity
server. Reported by Artem Godin
(TW-73469)Medium2021.2.1CWE-284CVE-2022-24336TeamCityPull-requests' health items
were shown to users without appropriate permissions
(TW-73516)Low2021.2CWE-284CVE-2022-24337TeamCityStored XSS. Reported by Yurii
Sanin (TW-73737)Medium2021.2.1CWE-79CVE-2022-24339TeamCityURL injection leading
to CSRF. Reported by Yurii Sanin
(TW-73859)Medium2021.2.1CWE-352CVE-2022-24342TeamCityChanging a password failed
to terminate sessions of the edited user
(TW-73888)Low2021.2.1CWE-613CVE-2022-24341TeamCityXXE during the parsing of a
configuration file
(TW-73932)Medium2021.2.1CWE-611CVE-2022-24340TeamCityReflected XSS
(TW-74043)Medium2021.2.1CWE-79CVE-2022-24338YouTrackStored XSS on the
Notification templates page
(JT-65752)Low2021.4.31698CWE-79CVE-2022-24344YouTrackA custom logo could be set
with read-only permissions
(JT-66214)Low2021.4.31698CWE-284CVE-2022-24343YouTrackStored XSS via project
icon. Reported by Yurii Sanin
(JT-67176)Medium2021.4.36872CWE-79CVE-2022-24347DataloreServer version
disclosure. Reported by Bharat (DL-9447)LowNot applicableCWE-209Not
applicableHubInformation disclosure via avatars metadata
(HUB-10154)Low2021.1.13690CWE-200CVE-2021-43180HubPotential DOS via user
information. Reported by Bharat
(HUB-10804)Low2021.1.13415CWE-20CVE-2021-43182HubStored XSS. Reported by Dmitry
Sherstoboev (HUB-10854)Medium2021.1.13690CWE-79CVE-2021-43181HubAuthentication
throttling mechanism could be bypassed. Reported by Bharat
(HUB-10869)Medium2021.1.13690CWE-180CVE-2021-43183JetBrains
AccountAuthentication throttling mechanism could be bypassed. Reported by Bharat
(JPF-11933)Medium2021.07CWE-180Not applicableKtorImproper nonce verification
during OAuth2 authentication process. Reported by Ole Schilling Tjensvold
(KTOR-3091)Medium1.6.4CWE-303CVE-2021-43203SpaceAuthentication throttling
mechanism could be bypassed. Reported by Bharat (SPACE-15282)LowNot
applicableCWE-180Not applicableSpaceSSRF disclosing EC2 metadata
(SPACE-15666)HighNot applicableCWE-918Not applicableTeamCityUser enumeration was
possible (TW-70167)Low2021.1.2CWE-200CVE-2021-43194TeamCityRCE in agent push
functionality. Reported by Eduardo Castellanos
(TW-70384)High2021.1.2CWE-78CVE-2021-43193TeamCityInformation disclosure via
Docker Registry connection dialog
(TW-70459)Medium2021.1CWE-200CVE-2021-43196TeamCitySome HTTP Security Headers
were missed (TW-71376)Low2021.1.2CWE-693CVE-2021-43195TeamCityEmail
notifications could include unescaped HTML
(TW-71981)Low2021.1.2CWE-116CVE-2021-43197TeamCityInsufficient permissions
checks in create patch functionality
(TW-71982)Low2021.1.2CWE-285CVE-2021-43199TeamCityStored XSS
(TW-72007)Low2021.1.2CWE-79CVE-2021-43198TeamCityInsufficient permissions checks
in agent push functionality
(TW-72177)Low2021.1.2CWE-285CVE-2021-43200TeamCityX-Frame-Options Header was
missed in some cases (TW-72464)Low2021.1.3CWE-693CVE-2021-43202TeamCityA newly
created project could take settings from already deleted project
(TW-72521)Medium2021.1.3CWE-459CVE-2021-43201TeamCity CloudSession takeover
using open redirect in OAuth integration. Reported by Yurii Sanin
(TCC-277)HighNot applicableCWE-601Not applicableYouTrackStored XSS
(JT-63483)Low2021.3.21051CWE-79CVE-2021-43184YouTrackHost header injection.
Reported by Artem Ivanov
(JT-65590)Medium2021.3.23639CWE-601CVE-2021-43185YouTrackStored XSS. Reported by
Artem Ivanov (JT-65749)High2021.3.24402CWE-79CVE-2021-43186YouTrack
InCloudUnsafe EC2 configuration in YouTrack InCloud (JT-63693, JT-63695)LowNot
applicableCWE-16Not applicableYouTrack MobileClient-side caching on iOS
(YTM-12961)Low2021.2CWE-524CVE-2021-43187YouTrack MobileIncomplete access tokens
protection in iOS (YTM-12962, YTM-12965,
YTM-12966)Low2021.2CWE-311CVE-2021-43188YouTrack MobileIncomplete access tokens
protection in Android (YTM-12964)Low2021.2CWE-311CVE-2021-43189YouTrack
MobileTask Hijacking in Android
(YTM-12967)Low2021.2CWE-287CVE-2021-43190YouTrack MobileiOS URL Scheme hijacking
(YTM-12968)Low2021.2CWE-287CVE-2021-43192YouTrack MobileMissing Security Screen
on Android & iOS (YTM-12969)Low2021.2CWE-287CVE-2021-43191DatalorePotential JWT
token takeover using redirect misconfiguration. Reported by Yurii Sanin
(DL-9225, JPF-11801)HighNot applicableCWE-601Not applicableDataloreThere was no
way to drop all active sessions. Reported by Bharat (DL-9247)HighNot
applicableCWE-613Not applicableHubPotentially insufficient CSP for Widget
deployment feature (JPS-10736)Low2021.1.13262CWE-1021CVE-2021-37540HubAccount
takeover was possible during password reset. Reported by Viet Nguyen Quoc
(JPS-10767)High2021.1.13402CWE-601CVE-2021-36209HubHTML injection in the
password reset email was possible. Reported by Bharat
(JPS-10797)Medium2021.1.13402CWE-79CVE-2021-37541JetBrains AccountOTP could be
used several times after the successful validation
(JPF-11119)Low2021.04CWE-358Not applicableJetBrains AccountPotential account
takeover via OAuth integration. Reported by Bharat
(JPF-11802)High2021.06CWE-918Not applicableJetBrains WebsiteReflected XSS on
jetbrains.com. Reported by Vasu Solanki (JS-14004)LowNot applicableCWE-79Not
applicableRubyMineCode execution without user confirmation was possible for
untrusted projects
(RUBY-27702)Medium2021.1.1CWE-345CVE-2021-37543SpaceDeprecated organization-wide
package repositories were publicly visible (SPACE-14151)HighNot
applicableCWE-284Not applicableTeamCityPotential XSS
(TW-61688)High2020.2.3CWE-79CVE-2021-37542TeamCityInsecure deserialization
(TW-70057, TW-70080)High2020.2.4CWE-502CVE-2021-37544TeamCityInsufficient
authentication checks for agent requests
(TW-70166)High2021.1.1CWE-287CVE-2021-37545TeamCityInsecure key generation for
encrypted properties
(TW-70201)Low2021.1CWE-335CVE-2021-37546TeamCityInsufficient checks during file
uploading (TW-70546)Medium2020.2.4CWE-434CVE-2021-37547TeamCityPasswords in
plain text sometimes could be stored in VCS
(TW-71008)Medium2021.1CWE-540CVE-2021-37548YouTrackInsufficient sandboxing in
workflows (JT-63222,
JT-63254)Critical2021.1.11111CWE-648CVE-2021-37549YouTrackTime-unsafe
comparisons were used
(JT-63697)Low2021.2.16363CWE-208CVE-2021-37550YouTrackSystem user passwords were
hashed with SHA-256
(JT-63698)Low2021.2.16363CWE-916CVE-2021-37551YouTrackInsecure PRNG was used
(JT-63699)Low2021.2.16363CWE-338CVE-2021-37553YouTrackStored XSS
(JT-64564)Medium2021.2.17925CWE-79CVE-2021-37552YouTrackUser could see boards
without having corresponding permissions
(JT-64634)Low2021.3.21051CWE-284CVE-2021-37554YouTrack InCloudReflected XSS on
konnector service in Firefox (JT-63702)LowNot applicableCWE-79Not applicableCode
With MeClient could execute code in read-only mode (CWM-1235)MediumCompatible
IDEs 2021.1 versionCWE-285CVE-2021-31899Code With MeClient could open browser on
host (CWM-1769)LowCompatible IDEs 2021.1 versionCWE-285CVE-2021-31900Exception
AnalyzerNo throttling at Exception Analyzer login page. Reported by Ashhad Ali
(EXA-760)LowNot applicableCWE-799Not applicableHubTwo-factor authentication
wasn't enabled properly for "All Users" group
(JPS-10694)Low2021.1.13079CWE-304CVE-2021-31901IntelliJ IDEAXXE in License
server functionality (IDEA-260143)High2020.3.3CWE-611CVE-2021-30006IntelliJ
IDEACode execution without user confirmation was possible for untrusted projects
(IDEA-260911, IDEA-260912, IDEA-260913, IDEA-261846, IDEA-261851, IDEA-262917,
IDEA-263981, IDEA-264782)Medium2020.3.3CWE-345CVE-2021-29263IntelliJ
IDEAPossible DoS. Reported by Arun Malik
(IDEA-261832)Medium2021.1CWE-770CVE-2021-30504JetBrains AcademyPotential
takeover of a future account with a known email. Reported by Vansh Devgan
(JBA-110)LowNot applicableCWE-285Not applicableJetBrains AccountSensitive
account URLs were shared with third parties. Reported by Vikram Naidu
(JPF-11338)High2021.02CWE-201Not applicableJetBrains WebsiteReflected XSS at
blog.jetbrains.com. Reported by Peter Af Geijerstam and Jai Kumar (JS-14554,
JS-14562)LowNot applicableCWE-79Not applicablePyCharmCode execution without user
confirmation was possible for untrusted projects. Reported by Tony Torralba
(PY-41524)Medium2020.3.4CWE-345CVE-2021-30005SpaceInsufficient CRLF sanitization
in user input (SPACE-13955)LowNot applicableCWE-93Not
applicableTeamCityPotential XSS on the test history page
(TW-67710)Medium2020.2.2CWE-79CVE-2021-31904TeamCityTeamCity IntelliJ Plugin
DOS. Reported by Jonathan Leitschuh
(TW-69070)Low2020.2.2CWE-770CVE-2021-26310TeamCityLocal information disclosure
via temporary file in TeamCity IntelliJ Plugin. Reported by Jonathan Leitschuh
(TW-69420)Low2020.2.2CWE-378CVE-2021-26309TeamCityInsufficient audit when an
administrator uploads a file
(TW-69511)Low2020.2.2CWE-778CVE-2021-31906TeamCityImproper permission checks for
changing TeamCity plugins
(TW-69521)Low2020.2.2CWE-732CVE-2021-31907TeamCityPotential XSS on the test
page. Reported by Stephen Patches
(TW-69737)Low2020.2.2CWE-79CVE-2021-3315TeamCityArgument Injection leading to
RCE (TW-70054)High2020.2.3CWE-78CVE-2021-31909TeamCityStored XSS on several
pages (TW-70078, TW-70348)Medium2020.2.3CWE-79CVE-2021-31908TeamCityInformation
disclosure via SSRF (TW-70079)High2020.2.3CWE-918CVE-2021-31910TeamCityReflected
XSS on several pages (TW-70093, TW-70094, TW-70095, TW-70096,
TW-70137)Medium2020.2.3CWE-79CVE-2021-31911TeamCityPotential account takeover
during password reset
(TW-70303)Medium2020.2.3CWE-640CVE-2021-31912TeamCityInsufficient checks of the
redirect_uri during GitHub SSO token exchange
(TW-70358)Low2020.2.3CWE-601CVE-2021-31913TeamCityArbitrary code execution on
TeamCity Server running on Windows. Reported by Chris Moore
(TW-70512)High2020.2.4CWE-829CVE-2021-31914TeamCityCommand injection leading to
RCE. Reported by Chris Moore (TW-70541)High2020.2.4CWE-78CVE-2021-31915TeamCity
CloudPotential information disclosure via EC2 instance metadata (TCC-174,
TCC-176)LowNot applicableCWE-1230Not applicableTeamCity CloudTemporary
credentials disclosure via command injection. Reported by Chris Moore
(TCC-196)HighNot applicableCWE-78Not applicableUpSourceApplication passwords
were not revoked correctly. Reported by Thibaut Zonca
(UP-10843)High2020.1.1883CWE-459CVE-2021-30482WebStormHTTP requests were used
instead of HTTPS (WEB-49549)Low2021.1CWE-295CVE-2021-31898WebStormCode execution
without user confirmation was possible for untrusted projects (WEB-49689,
WEB-49902)Low2021.1CWE-345CVE-2021-31897YouTrackStored XSS via attached file.
Reported by Mikhail Klyuchnikov
(JT-62530)Medium2020.6.6441CWE-79CVE-2021-27733YouTrackPull request title was
sanitized insufficiently
(JT-62556)Medium2021.1.9819CWE-79CVE-2021-31903YouTrackImproper access control
during exporting issues
(JT-62649)High2020.6.6600CWE-284CVE-2021-31902YouTrackInformation disclosure in
issue preview (JT-62919)High2020.6.8801CWE-200CVE-2021-31905Code With MeAn
attacker in the local network knowing session id could get access to the
encrypted traffic. Reported by Grigorii Liullin (CWM-1067)Low2020.3Not
applicableCVE-2021-25755DataloreServer components versions were disclosed
(DL-8327, DL-8335)LowNot applicableCWE-200Not applicableException
AnalyzerInformation disclosure via Exceptions Analyzer (SDP-1248)LowNot
applicableCWE-200Not applicableHubOpen-redirect was possible. Reported by
Mohammed Amine El Attar (JPS-10348)Medium2020.1.12629Not
applicableCVE-2021-25757HubAuthorized user can delete 2FA settings of any other
user (JPS-10410)Medium2020.1.12629Not applicableCVE-2021-25759HubInformation
disclosure via public API (JPS-10481)Low2020.1.12669Not
applicableCVE-2021-25760IntelliJ IDEAHTTP links were used for several remote
repositories (IDEA-228726)Low2020.2Not applicableCVE-2021-25756IntelliJ
IDEAPotentially insecure deserialization of the workspace model
(IDEA-253582)Low2020.3Not applicableCVE-2021-25758JetBrains AccountAuthorization
token was sent as a query parameter within Zendesk integration
(JPF-10508)Low2020.11CWE-598Not applicableJetBrains AccountOpen-redirect was
possible (JPF-10660)Low2020.10CWE-601Not applicableJetBrains WebsiteCross-origin
resource sharing was possible. Reported by Ashhad Ali (SDP-1193)LowNot
applicableCWE-942Not applicableJetBrains WebsiteThrottling was not used for the
particular endpoint. Reported by Ashhad Ali (SDP-1197)LowNot
applicableCWE-799Not applicableJetBrains WebsiteClickjacking was possible.
Reported by Ashhad Ali (SDP-1203)LowNot applicableCWE-1021Not
applicableKotlinVulnerable Java API was used for temporary files and folders
creation, which could make temporary files available for other users of a
system. Reported by Jonathan Leitschuh (KT-42181)Low1.4.21Not
applicableCVE-2020-29582KtorBirthday attack on SessionStorage key was possible.
Reported by Kenta Koyama (KTOR-878)Low1.5.0Not applicableCVE-2021-25761KtorWeak
cipher suites were enabled by default. Reported by Johannes Ulfkjær Jensen
(KTOR-895)Low1.4.2Not applicableCVE-2021-25763KtorHTTP Request Smuggling was
possible. Reported by ZeddYu Lu, Kaiwen Shen, Yaru Yang (KTOR-1116)Low1.4.3Not
applicableCVE-2021-25762PhpStormSource code could be added to debug logs
(WI-54619)Low2020.3Not applicableCVE-2021-25764SpacePotential information
disclosure via logs (SPACE-9343, SPACE-10969)LowNot applicableCWE-532Not
applicableSpaceAn attacker could obtain limited information via SSRF in
repository mirroring test connection (SPACE-9514)HighNot applicableCWE-918Not
applicableSpaceContent-Type header wasn't set for some pages (SPACE-12004)LowNot
applicableCWE-531Not applicableSpaceREST API endpoint was available without
appropriate permissions check, which could introduce a potential DOS vector (no
real exploit available). (SPACE-12288)LowNot applicableCWE-732Not
applicableTeamCityReflected XSS on several pages (TW-67424,
TW-68098)Medium2020.2Not applicableCVE-2021-25773TeamCityTeamCity server DoS was
possible via server integration (TW-68406, TW-68780)Low2020.2.2Not
applicableCVE-2021-25772TeamCityECR token exposure in the build's parameters
(TW-68515)Medium2020.2Not applicableCVE-2021-25776TeamCityUser could get access
to GitHub access token of another user (TW-68646)Low2020.2.1Not
applicableCVE-2021-25774TeamCityServer admin could create and see access tokens
for any other users (TW-68862)Low2020.2.1Not
applicableCVE-2021-25775TeamCityImproper permissions checks during user deletion
(TW-68864)Low2020.2.1Not applicableCVE-2021-25778TeamCityImproper permissions
checks during tokens removal (TW-68871)Low2020.2.1Not
applicableCVE-2021-25777TeamCityTeamCity Plugin SSRF. Vulnerability that could
potentially expose user credentials. Reported by Jonathan Leitschuh
(TW-69068)High2020.2.85695Not applicableCVE-2020-35667YouTrackCSRF via
attachment upload. Reported by Yurii Sanin (JT-58157)Medium2020.4.4701Not
applicableCVE-2021-25765YouTrackUsers enumeration via REST API without
appropriate permissions (JT-59396, JT-59498)Low2020.4.4701Not
applicableCVE-2020-25208YouTrackImproper resource access checks
(JT-59397)Low2020.4.4701Not applicableCVE-2021-25766YouTrackIssue's existence
disclosure via the YouTrack command execution (JT-59663)Low2020.6.1767Not
applicableCVE-2021-25767YouTrackImproper permissions checks for the attachments
actions (JT-59900)Low2020.4.4701Not applicableCVE-2021-25768YouTrackYouTrack
admin wasn't able to access attachments (JT-60824)Low2020.4.6808Not
applicableCVE-2021-25769YouTrackServer-side template injection in the YouTrack
Cloud. Reported by Vasily Vasilkov (JT-61449)High2020.5.3123Not
applicableCVE-2021-25770YouTrackProject information disclosure
(JT-61566)Low2020.6.1099Not applicableCVE-2021-25771IdeaVimIn limited
circumstances, IdeaVim might have caused information leak (VIM-2019)High0.58Not
applicableCVE-2020-27623IntelliJ IDEABuilt-in web server could expose
information about IDE version (IDEA-240567)Low2020.2Not
applicableCVE-2020-27622JetBrains AccountImproper rate limit. Reported by Ashhad
Ali (JPF-11026)Low2020.09CWE-799Not applicableJetBrains AccountPassword reset
token might be disclosed to a third party. Reported by Sheikh Rishad
(JPF-11034)Low2020.10CWE-201Not applicableJetBrains MarketplaceBlind SSRF.
Reported by Yurii Sanin (MP-3119)HighNot applicableCWE-918Not
applicableJetBrains WebsiteReflected XSS. Reported by Peter af Geijerstam
(JS-13032)MediumNot applicableCWE-79Not applicableJetBrains WebsiteHTML
injection was possible on several pages (JS-13041)MediumNot applicableCWE-79Not
applicableJetBrains WebsiteClickjacking was possible on several pages
(JS-13042)LowNot applicableCWE-1021Not applicableJetBrains WebsiteSSRF on the
website. Reported by Mohamed Lahraoui (SDP-1174)LowNot applicableCWE-918Not
applicableKtorHTTP request smuggling was possible. Reported by ZeddYu Lu and
Kaiwen Shen (KTOR-841)Medium1.4.1Not applicableCVE-2020-26129SpaceUnauthorized
access to environment variables containing private data (SPACE-10723)MediumNot
applicableCWE-532Not applicableTeamCityURL injection was possible
(TW-44171)Low2020.1.2Not applicableCVE-2020-27627TeamCityGuest user had access
to audit records (TW-67750)Medium2020.1.5Not
applicableCVE-2020-27628TeamCitySecure dependency parameters could be not masked
in depending builds when there are no internal artifacts
(TW-67775)High2020.1.5Not applicableCVE-2020-27629Toolbox AppLimited RCE via
jetbrains protocol handler. Reported by Jeffrey van Gogh and Yuriy Solodkyy
(SDP-1177)Low1.18Not applicableCVE-2020-25207Toolbox AppDenial of service via
jetbrains protocol handler (TBX-5281)Low1.18.7455Not
applicableCVE-2020-25013YouTrackBlind SSRF. Reported by Yurii Sanin
(JT-58015)Low2020.3.888Not applicableCVE-2020-27624YouTrackNotifications might
have mentioned inaccessible issues (JT-58329)Low2020.3.888Not
applicableCVE-2020-27625YouTrackSSRF in YouTrack InCloud. Reported by Yurii
Sanin (JT-58962)Medium2020.3.5333Not applicableCVE-2020-27626YouTrackImproper
access control allowed retrieving issue description without appropriate access.
Reported by Yurii Sanin (JT-59015)Critical2020.3.4313, 2020.2.11008,
2020.1.11011, 2019.3.65516, 2019.2.65515, 2019.1.65514Not
applicableCVE-2020-24618YouTrackImproper access control for some subresources
leads to information disclosure. Reported by Yurii Sanin
(JT-59130)Medium2020.3.6638Not applicableCVE-2020-25209YouTrackAn attacker could
access workflow rules without appropriate access grants
(JT-59474)High2020.3.7955Not applicableCVE-2020-25210YouTrack MobileInformation
disclosure via application backups. Reported by Cristi Vlad
(YTM-5518)Low2020.2.0Not applicableCVE-2020-24366DataloreStack trace disclosure.
(DL-7350)LowNot applicableCWE-536Not applicableDataloreReverse tabnabbing was
possible. (DL-7708)LowNot applicableCWE-1022Not applicableJetBrains
AccountMissed throttling for reset password functionality in case of 2FA
enabled. Reported by Manu Pranav. (JPF-10527)Medium2020.06CWE-799Not
applicableJetBrains WebsiteStack trace disclosure in case of incorrect character
in request. (JS-12490)LowNot applicableCWE-536Not applicableJetBrains
WebsiteReflected XSS on jetbrains.com subdomain. Reported by Ritik Chaddha.
(JS-12562)LowNot applicableCWE-79Not applicableJetBrains WebsiteOpen-redirect
issues on kotlinconf.com. Reported by Ritik Chaddha. (JS-12581)LowNot
applicableCWE-601Not applicableJetBrains WebsiteClickjacking was possible at a
non-existent page. Reported by Pravas Ranjan Kanungo. (JS-12835)LowNot
applicableCWE-1021Not applicableKotlinScript cache privilege escalation
vulnerability. Reported by Henrik Tunedal. (KT-38222)Medium1.4.0Not
applicableCVE-2020-15824SpaceDraft title was disclosed to a user without access
to the draft. (SPACE-5594)LowNot applicableCWE-200Not applicableSpaceMissing
authorisation check caused privilege escalation. Reported by Callum Carney.
(SPACE-8034)HighNot applicableCWE-266Not applicableSpaceBlind SSRF via calendar
import. Reported by Yurii Sanin. (SPACE-8273)MediumNot applicableCWE-918Not
applicableSpaceThe drafts of the direct messages sent from iOS app could be sent
to the channel. (SPACE-8377)LowNot applicableCWE-200Not applicableSpaceChat
messages are propagated to the browser console. (SPACE-8386)HighNot
applicableCWE-215Not applicableSpaceMissed authentication checks in Space
Automation. (SPACE-8431)CriticalNot applicableCWE-306Not applicableSpaceMissed
authentication checks in Job related API. (SPACE-8822)LowNot
applicableCWE-306Not applicableSpaceIncorrect checks of public key content.
(SPACE-9169)MediumNot applicableCWE-287Not applicableSpaceStored XSS via
repository resource. (SPACE-9277)HighNot applicableCWE-79Not
applicableTeamCityUsers were able to assign more permissions than they had.
(TW-36158)Low2020.1Not applicableCVE-2020-15826TeamCityUsers with "Modify group"
permission can elevate other users privileges. (TW-58858)Medium2020.1Not
applicableCVE-2020-15825TeamCityPassword parameters could be disclosed via build
logs. (TW-64484)Low2019.2.3Not applicableCVE-2020-15829TeamCityProject parameter
values could be retrieved by a user without appropriate permissions.
(TW-64587)High2020.1.1Not applicableCVE-2020-15828TeamCityReflected XSS on
administration UI. (TW-64668)High2019.2.3Not
applicableCVE-2020-15831TeamCityStored XSS on administration UI.
(TW-64699)High2019.2.3Not applicableCVE-2020-15830Toolbox AppMissed signature on
"jetbrains-toolbox.exe". (TBX-4671)Low1.17.6856Not
applicableCVE-2020-15827UpSourceUnauthorised access was possible through error
in accounts linking. (SDP-940)Low2020.1Not
applicableCVE-2019-19704YouTrackSubtasks workflow could disclose issue
existence. (JT-45316)Low2020.2.8527Not applicableCVE-2020-15818YouTrackAn
external user could execute commands against arbitrary issues.
(JT-56848)High2020.1.1331Not applicableCVE-2020-15817YouTrackSSRF vulnerability
that allowed scanning internal ports. Reported by Evren Yalçın.
(JT-56917)Low2020.2.10643Not applicableCVE-2020-15819YouTrackMarkdown parser
could disclose hidden file existence. (JT-57235)Low2020.2.6881Not
applicableCVE-2020-15820YouTrackA user without permission was able to create
articles draft. (JT-57649)Medium2020.2.6881Not
applicableCVE-2020-15821YouTrackAWS metadata of YouTrack InCloud instance
disclosure via SSRF in Workflow. Reported by Yurii Sanin.
(JT-57964)High2020.2.8873Not applicableCVE-2020-15823YouTrackSSRF was possible
due to the fact that URL filtering could be escaped. Reported by Yurii Sanin.
(JT-58204)Low2020.2.10514Not applicableCVE-2020-15822YouTrack InCloudPossibility
to change redirect from any existing YouTrack InCloud instance to other
instance. (JT-57036)Medium2020.1.3588CWE-601Not applicableDataloreUser's SSH key
can be deleted without appropriate permissions. Reported by Callum Carney
(DL-7833)MediumNot applicableCWE-639Not applicableDataloreSSRF could be caused
by an attached file. Reported by Callum Carney (DL-7836)HighNot
applicableCWE-918Not applicableGoLandPlain HTTP was used to access plugin
repository (GO-8694)Low2019.3.2Not applicableCVE-2020-11685HubContent spoofing
at Hub OAuth error message was possible (JPS-10093)Medium2020.1.12099Not
applicableCVE-2020-11691IntelliJ IDEALicense server could be resolved to
untrusted host in some cases (IDEA-219748)High2020.1Not
applicableCVE-2020-11690JetBrains AccountNon-unique QR codes were generated
during consequentattempts to setup 2FA (JPF-10149)Low2020.01CWE-342Not
applicableJetBrains AccountClickjacking was possible on a JetBrains Account
page. Reported by Raja Ahtisham (JPF-10154) Medium2020.01CWE-1021Not
applicableJetBrains AccountCustomer name enumeration by numeric customer ID was
possible (JPF-10159, JPF-10301)High2020.03CWE-200Not applicableJetBrains
AccountCountry value coming from a user wasn't correctly validated
(JPF-10258)High2020.02CWE-285Not applicableJetBrains AccountInformation
disclosure from JetBrains Account was possible via "Back" button. Reported by
Ratnadip Gajbhiye (JPF-10266)Low2020.02CWE-200Not applicableJetBrains
MarketplaceUploading malicious file via Screenshots form could cause XSS
(MP-2637)MediumNot applicableCWE-79Not applicableJetBrains WebsiteReflected XSS
at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769)HighNot
applicableCWE-79Not applicablePyCharmApple Notarization Service credentials were
included to PyCharm distributive for Windows reported by Ruby Nealon
(IDEA-232217)High2019.3.3, 2019.2.6Not applicableCVE-2020-11694SpaceSession
timeout period was configured improperly (SPACE-4717)LowNot applicableNot
applicableCVE-2020-11795SpaceStored XSS in Space chats was possible. Reported by
Callum Carney (SPACE-6556)MediumNot applicableNot
applicableCVE-2020-11416SpacePassword authentication implementation was insecure
(SPACE-7282)HighNot applicableNot applicableCVE-2020-11796TeamCityPasswords
values were shown not being masked on several pages (TW-64186)Low2019.2.2Not
applicableCVE-2020-11687TeamCityProject administrator was able to see scrambled
password parameters used in a project (TW-58099)Medium2019.2.2Not
applicableCVE-2020-11938TeamCityProject administrator was able to retrieve some
TeamCity server settings (TW-61626)Low2019.1.4Not
applicableCVE-2020-11686TeamCityApplication state kept alive after a user ends
his session (TW-61824)Low2019.2.1Not applicableCVE-2020-11688TeamCityA user
without appropriate permissions was able import settings from settings.kts
(TW-63698)Low2019.2.1Not applicableCVE-2020-11689YouTrackDB export was
accessible to read-only administrators (JT-56001)Low2020.1.659Not
applicableCVE-2020-11692YouTrackDoS could be performed by attaching malformed
TIFF to an issue. Reported by Chris Smith (JT-56407)High2020.1.659Not
applicableCVE-2020-11693IDETalk pluginXXE in IDETalk plugin. (IDEA-220136
reported by Srikanth Ramu)Medium193.4099.10Not applicableCVE-2019-18412IntelliJ
IDEASome Maven repositories are accessed via HTTP instead of HTTPs.
(IDEA-216282)High2019.3Not applicableCVE-2020-7904IntelliJ IDEAPorts listened to
by IntelliJ IDEA are exposed to the network. (IDEA-219695)Low2019.3Not
applicableCVE-2020-7905IntelliJ IDEAXSLT debugger plugin misconfiguration allows
arbitrary file read over network. (IDEA-216621 reported by Anatoly
Korniltsev)Medium2019.3Not applicableCVE-2020-7914JetBrains AccountProfile names
are exposed by email. (JPF-9219 reported by Timon Birk)Low2019.11CWE-200Not
applicableJetBrains AccountMissing secure flag for cookie.
(JPF-9857)Low2019.11CWE-614Not applicableJetBrains AccountInsufficient
authentication on contact view. (JPF-10024)High2019.11CWE-287Not
applicableJetBrains AccountInsufficient authentication on role update.
(JPF-10025)High2019.11CWE-287Not applicableJetBrains AccountXSS on the spending
report page. (JPF-10027)Medium2019.12CWE-79Not applicableJetBrains AccountOpen
redirect during re-acceptance of license agreements.
(JPF-10028)Low2019.11CWE-601Not applicableJetBrains AccountInformation exposure
during processing of license requests. (JPF-10111)High2019.12CWE-200Not
applicableJetBrains MarketplaceXSS on several pages. (MP-2617, MP-2640,
MP-2642)LowNot applicableCWE-79Not applicableJetBrains MarketplaceImproper
access control during plugins upload. (MP-2695)CriticalNot applicableCWE-284Not
applicableJetBrains WebsiteCookie XSS at jetbrains.com. (JS-10969)HighNot
applicableCWE-79Not applicableKtorThe Ktor framework is vulnerable to HTTP
Response Splitting. Reported by Jonathan LeitschuhHigh1.2.6Not
applicableCVE-2019-19389KtorThe Ktor client resends authorization data to a
redirect location. Reported by Jonathan LeitschuhLow1.2.6Not
applicableCVE-2019-19703KtorRequest smuggling is possible when both chunked
Transfer-Encoding and Content-Length are specified. Reported by Jonathan
LeitschuhLow1.3.0Not applicableCVE-2020-5207RiderUnsigned binaries in Windows
installer. (RIDER-30393)Medium2019.3Not applicableCVE-2020-7906Scala
pluginArtifact dependencies were resolved over unencrypted connections.
(SCL-15063)High2019.2.1Not applicableCVE-2020-7907TeamCityReverse Tabnabbing is
possible on several pages. (TW-61710, TW-61726, TW-61727)Low2019.1.5Not
applicableCVE-2020-7908TeamCitySome server-stored passwords can be shown via web
UI. (TW-62674)High2019.1.5Not applicableCVE-2020-7909TeamCityPossible stored XSS
attack by a user with a developer role. (TW-63298)Medium2019.2Not
applicableCVE-2020-7910TeamCityStored XSS on user-level pages.
(TW-63160)High2019.2Not applicableCVE-2020-7911YouTrackCORS misconfiguration on
youtrack.jetbrains.com. (JT-53675)MediumNot applicableCWE-346Not
applicableYouTrackSMTP/Jabber settings can be accessed using backups.
(JT-54139)Medium2019.2.59309Not applicableCVE-2020-7912YouTrackXSS via image
upload at youtrack-workflow-converter.jetbrains.com. (JT-54589)LowNot
applicableCWE-80Not applicableYouTrackXSS via issue description.
(JT-54719)High2019.2.59309Not applicableCVE-2020-7913HubUsername enumeration was
possible through password recovery. JPS-9655, JPS-9938Low2019.1.11738Not
applicableCVE-2019-18360IntelliJ IDEALocal user privilege escalation potentially
allowed arbitrary code execution. IDEA-216623Low2019.2Not
applicableCVE-2019-18361JetBrains AccountAccount removal without
re-authentication was possible. JPF-9611 reported by Siamul
Islam.Medium2019.9CWE-306Not applicableJetBrains AccountPassword reset link was
not invalidated during password change through profile. JPF-9610 reported by
Elliot V. Daniel.Medium2019.8CWE-613Not applicableMPSPorts listened to by MPS
are exposed to the network. MPS-30661Low2019.2.2Not
applicableCVE-2019-18362TeamCityAccess could be gained to the history of builds
of a deleted build configuration under some circumstances.
TW-60957Medium2019.1.2Not applicableCVE-2019-18363TeamCityInsecure Java
Deserialization could potentially allow RCE. TW-61928 reported by Aleksei
"GreenDog" Tiurin.Medium2019.1.4Not applicableCVE-2019-18364TeamCityReverse
tabnabbing was possible on several pages. TW-61323, TW-61725,TW-61726,
TW-61646,TW-62123Low2019.1.4Not applicableCVE-2019-18365TeamCitySecure values
could be exposed to users with the ‘View build runtime parameters and data’
permission.Low2019.1.2Not applicableCVE-2019-18366TeamCityA non-destructive
operation could be performed by a user without the corresponding permissions.
TW-61107Low2019.1.2Not applicableCVE-2019-18367Toolbox AppPrivilege escalation
was possible in the JetBrains Toolbox App for Windows.TBX-3759Low1.15.5666Not
applicableCVE-2019-18368YouTrackRemoving tags from issues list without
corresponding permission was possible. JT-53465Low2019.2.55152Not
applicableCVE-2019-18369YouTrack InCloudSending of arbitrary spam email from a
Youtrack instance was possible. JT-54136, ADM-13823, ADM-34971LowNot
applicableCWE-285Not applicableException AnalyzerInsecure transfer of JetBrains
Account credentials. EXA-652CriticalNot applicableCWE-598Not applicableHubNo way
to set a password to expire automatically. JPS-8816Low2018.4.11436Not
applicableCVE-2019-14955IdeaVimProject data appeared in user level settings.
VIM-1184Medium0.52Not applicableCVE-2019-14957IntelliJ IDEAResolving artifacts
using an http connection, potentially allowing an MITM attack.
IDEA-211231High2019.2Not applicableCVE-2019-14954JetBrains AccountAuthorized
account enumeration. JPF-9370Low2019.5CWE-204Not applicableJetBrains
AccountCross-origin resource sharing misconfiguration (Reported by Vishnu
Vardhan). JPF-9095Low2019.5CWE-942Not applicableJetBrains AccountNo rate
limitation on the account details page. JPF-9704Medium2019.8CWE-770Not
applicableJetBrains AccountNo rate limitation on the licenses page.
JPF-9713High2019.9CWE-770Not applicableJetBrains AccountUnauthorized disclosure
of license email on the licenses page. JPF-9692Critical2019.8CWE-284Not
applicableJetBrains WebsiteReflected XSS. JS-9853MediumNot applicableCWE-79Not
applicableKtorCommand injection through LDAP username.Medium1.2.0-rc, 1.2.0Not
applicableCVE-2019-12736KtorPredictable Salt for user
credentials.Medium1.2.0-rc2, 1.2.0Not applicableCVE-2019-12737PyCharmRemote call
causing an “out of memory” error was possible. PY-35251Low2019.2Not
applicableCVE-2019-14958ReSharperDLL hijacking vulnerability.
RSRP-473674High2019.2Not applicableCVE-2019-16407RiderUnsigned DLL was used in a
distributive. RIDER-27708Medium2019.1.2Not
applicableCVE-2019-14960TeamCityPreviously used unencrypted passwords were
suggested by a web browser’s auto-completion. TW-59759Low2019.1CWE-200Not
applicableTeamCityVMWare plugin did not check SSL certificate.
TW-59562Medium2019.1Not applicableCVE-2019-15042TeamCityRemote Code Execution on
the server with certain network configurations. TW-60430Medium2019.1Not
applicableCVE-2019-15039TeamCityProject administrator could get unauthorized
access to server-level data. TW-60220High2019.1Not
applicableCVE-2019-15035TeamCityProject administrator could execute any command
on the server machine. TW-60219High2019.1Not
applicableCVE-2019-15036TeamCitySecurity has been tightened thanks to using
additional HTTP headers. TW-59034High2019.1Not
applicableCVE-2019-15038TeamCityPossible XSS vulnerabilities on the settings
pages. TW-59870, TW-59852, TW-59817, TW-59838, TW-59816High2019.1Not
applicableCVE-2019-15037TeamCityXSS vulnerability. TW-61242,
TW-61315High2019.1.2Not applicableCVE-2019-15848Toolbox AppUnencrypted
connection to external resources, potentially allowed an MITM attack. TBX-3327,
ADM-30275Low1.15.5605CWE-311CVE-2019-14959UpSourceInsufficient escaping of code
blocks. UP-10387Medium2019.1.1412Not applicableCVE-2019-14961UpSourceCredentials
exposure via RPC command. UP-10344Critical2018.2.1290Not
applicableCVE-2019-12156UpSourceCredentials exposure via RPC command.
UP-10343Critical2018.2.1293Not applicableCVE-2019-12157YouTrackA user could get
a list of project names under certain conditions. JT-53162Low2019.2.53938Not
applicableCVE-2019-14956YouTrackStored XSS via issue attachments.
JT-51077High2019.2.53938Not applicableCVE-2019-14953YouTrackStored XSS on the
issue page. JT-54121High2019.2.56594Not applicableCVE-2019-16171YouTrackStored
XSS in the issues list. JT-52894High2019.1.52584Not
applicableCVE-2019-14952YouTrackA compromised URL was automatically whitelisted
by YouTrack. JT-47653Low2019.1.52545Not
applicableCVE-2019-15041YouTrackCross-Site Request Forgery. JT-30098Low2019.1Not
applicableCVE-2019-15040CLionThe suggested WSL configuration exposed a local SSH
server to the internal network. CPP-15063MediumNot applicableCWE-276Not
applicableHubA user password could appear in the audit events for certain server
settings. JPS-7895High2018.4.11298Not applicableCVE-2019-12847IntelliJ IDEAThe
default configuration for Spring Boot apps was not secure.
IDEA-204439High2018.3.4, 2019.1Not applicableCVE-2019-9186IntelliJ IDEAThe
application server configuration allowed cleartext storage of secrets.
IDEA-201519, IDEA-202483, IDEA-203271High2018.1.8, 2018.2.8, 2018.3.5, 2019.1Not
applicableCVE-2019-9872IntelliJ IDEAThe implementation of storage in the KeePass
database was not secure. IDEA-200066Low2018.3, 2019.1CWE-922Not
applicableIntelliJ IDEAA certain application server configuration allowed
cleartext storage of secrets. IDEA-199911Low2018.3CWE-317Not applicableIntelliJ
IDEAA certain application server configuration allowed cleartext storage of
secrets. IDEA-203613Medium2018.1.8, 2018.2.8, 2018.3.5Not
applicableCVE-2019-9823IntelliJ IDEAA certain remote server configurations
allowed cleartext storage of secrets. IDEA-203272, IDEA-203260, IDEA-206556,
IDEA-206557High2019.1Not applicableCVE-2019-9873IntelliJ IDEAThe run
configuration of certain application servers allowed remote code execution while
running the server with the default settings. IDEA-204570High2017.3.7, 2018.1.8,
2018.2.8, 2018.3.4Not applicableCVE-2019-10104JetBrains AccountAn open redirect
vulnerability via the backUrl parameter was detected. JPF-8899MediumNot
applicableCWE-601Not applicableJetBrains AccountThe host header injection
vulnerability was detected at account.jetbrains.com. ADM-20535MediumNot
applicableCWE-444Not applicableJetBrains MarketplaceSome HTTP Security Headers
were missing. MP-2004MediumNot applicableCWE-693Not applicableJetBrains
MarketplaceA reflected XSS was detected. MP-2001MediumNot applicableCWE-79Not
applicableJetBrains MarketplaceA CSRF vulnerability was detected.
MP-2002MediumNot applicableCWE-352Not applicableJetBrains WebsiteA reflected XSS
was detected. JT-51074LowNot applicableCWE-79Not applicableKotlinThe JetBrains
Kotlin project was resolving artifacts using anhttp connection during the build
process, potentially allowing an MITM attack.Medium1.3.30Not
applicableCVE-2019-10101Kotlin plugin for IntelliJIntelliJ IDEA projects created
using the KotlinIDE template were resolving artifacts using an http connection,
potentially allowing an MITM attack.Medium1.3.30Not
applicableCVE-2019-10102PyCharmA certain remote server configuration allowed
cleartext storage of secrets. PY-32885Medium2018.3.2CWE-209Not
applicableTeamCityA possible stored JavaScript injection was detected.
TW-59419Medium2018.2.3Not applicableCVE-2019-12844TeamCityThe generated Kotlin
DSL settings allowed usage of an unencrypted connection for resolving artifacts.
TW-59379Medium2018.2.3Not applicableCVE-2019-12845TeamCityA possible stored
JavaScript injection requiring a deliberate server administrator action was
detected. TW-55640Medium2018.2.3Not applicableCVE-2019-12843TeamCityIncorrect
handling of user input in ZIP extraction. TW-57143Medium2018.2.2Not
applicableCVE-2019-12841TeamCityA reflected XSS on a user page was detected.
TW-58661Medium2018.2.2Not applicableCVE-2019-12842TeamCityA user without the
required permissions could gain access to some settings.
TW-58571Medium2018.2.2Not applicableCVE-2019-12846YouTrackAn SSRF attack was
possible on a YouTrack server. JT-51121High2018.4.49168Not
applicableCVE-2019-12852YouTrackAn Insecure Direct Object Reference was
possible. JT-51103Low2018.4.49168Not applicableCVE-2019-12866YouTrackCertain
actions could cause privilege escalation for issue attachments.
JT-51080Medium2018.4.49168Not applicableCVE-2019-12867YouTrackA query injection
was possible. JT-51105Low2018.4.49168Not applicableCVE-2019-12850YouTrackA CSRF
vulnerability was detected in one of admin endpoints.
JT-51110Medium2018.4.49852Not applicableCVE-2019-12851YouTrackThe YouTrack
Confluence plugin allowed the SSTI vulnerability. JT-51594Medium1.8.1.3Not
applicableCVE-2019-10100YouTrack InCloudAn unauthorized disclosure of license
details to an attacker #2 was possible. JT-51117LowNot applicableCWE-284Not
applicableHubAdmin account takeover of a system authorized with Hub was
possible. JPS-9594Critical2018.3.11035Not applicableNot applicableHubXXE was
possible. JPS-9616, UP-10218High2018.4.11067Not applicableNot
applicableJetBrains AccountDisclosure of email address within unsuccessful login
attempt. JPF-8663High4.11Not applicableNot applicableTeamCityReflected XSS on
user-level pages. TW-58065, TW-58234High2018.2Not applicableNot
applicableTeamCityStored XSS on the build details page. TW-58129,
TW-58138High2018.2Not applicableNot applicableTeamCityExposure of sensitive
parameter value to a privileged user was possible. TW-56946Medium2018.1.3Not
applicableNot applicableUpSourceA privileged user had access to user credentials
in rare case. UP-10092Medium2018.2.1141Not applicableNot
applicableYouTrackUnauthorized access to project and user details with guest
user banned was possible. JT-50970, JT-49827, JT-50611,
JT-50203High2018.3.47010Not applicableNot applicableYouTrackStored XSS on
YouTrack issue page. JT-50201Low2018.3.47965Not applicableNot applicableYouTrack
InCloudUnauthorized disclosure of YouTrack InCloud subscription information was
possible. JPF-8714, JT-51001High2018.4.48293Not applicableNot applicableYouTrack
InCloudUnauthorized access to the email address of YouTrack InCloud was
possible. JT-50946High2018.4.48293Not applicableNot applicabledotPeekRemote Code
Execution was possible while operating specific files. DOTP-7635High2018.1.4Not
applicableNot applicableHubHub stored license information in log files.
JPS-9187Low2018.2.10527Not applicableNot applicableIntelliJ IDEAInsecure
connection used to access JetBrains resources. IDEA-187601,
IDEA-192440Medium2018.1.5Not applicableNot applicableIntelliJ IDEAIncorrect
handling of user input in ZIP extraction. IDEA-191679, IDEA-191680,
IDEA-193358High2018.2Not applicableNot applicableJetBrains AccountA few customer
profiles were made available without authorization. JPF-8211MediumNot
applicableNot applicableNot applicableJetBrains AccountIt was possible to obtain
customer business email from order reference. JPF-7903MediumNot applicableNot
applicableNot applicableJetBrains MarketplaceXXE vulnerability. MP-1708LowNot
applicableNot applicableNot applicableJetBrains MarketplaceIncorrect handling of
user input in ZIP extraction. MP-1678MediumNot applicableNot applicableNot
applicableReSharperIncorrect handling of user input in ZIP extraction.
RSRP-470115High2018.1.3Not applicableNot applicableTeamCityCSRF vulnerability.
TW-55992Medium2018.1.1Not applicableNot applicableTeamCityChange of project
settings can corrupt settings of other projects. TW-55704Low2018.1.1Not
applicableNot applicableTeamCityPossible privilege escalation while viewing
agent details. TW-56025Medium2018.1.1Not applicableNot
applicableTeamCityPossible unvalidated redirect. TW-56085Medium2018.1.2Not
applicableNot applicableTeamCityReflected XSS vulnerabilities. TW-56490,
TW-56375, TW-56374Medium2018.1.2Not applicableNot applicableTeamCityStored XSS
vulnerabilities. TW-56830, TW-56719Medium2018.1.3Not applicableNot
applicableTeamCityStored XSS vulnerabilities. TW-55214, TW-56126, TW-56127,
TW-56452, TW-56571Medium2018.1.2Not applicableNot applicableYouTrackReflected
XSS vulnerability. JT-48606Medium2018.2.45073Not applicableNot
applicableYouTrackPossible privilege escalation via deprecated REST API.
JT-48605Low2018.2.45073Not applicableNot applicableYouTrackPossible tabnabbing
via issue content. JT-47993Low2018.2.44329Not applicableNot
applicableHubClickJacking vulnerability. JPS-7209Low2017.4.8040Not applicableNot
applicableHubClickJacking vulnerability. JPS-8009Low2018.2.9541Not applicableNot
applicableIntelliJ IDEAROBOT attack vulnerability in certain subsystems.
IDEA-183912Low2018.1.3Not applicableNot applicableScala pluginPossible
unauthenticated access to local compile server. SCL-13584Medium2018.2Not
applicableNot applicableTeamCityPossible privilege escalation to server
administrator. TW-55209High2018.1Not applicableNot applicableTeamCityCSRF attack
vulnerability. TW-55210High2018.1Not applicableNot applicableTeamCityPossible
privilege escalation from project administrator to server administrator.
TW-55211, TW-55684High2018.1Not applicableNot applicableTeamCityPossible
unauthorized removal of installation data by project administrator.
TW-54876High2018.1Not applicableNot applicableTeamCityNetwork access to an agent
allowed potential unauthorized control over the agent. TW-49335Medium2018.1Not
applicableNot applicableTeamCityIn a very specific scenario, an attacker could
steal web responses meant for other users. TW-54486Medium2018.1Not applicableNot
applicableTeamCityStored XSS vulnerabilities on various pages. TW-27206,
TW-54129, TW-55453, TW-55215, TW-55217, TW-55353Medium2018.1Not applicableNot
applicableTeamCityProject viewer could delete non-critical project settings.
TW-55261Medium2018.1Not applicableNot applicableTeamCityNetwork access to a
server allowed potential read access to project settings.
TW-54870Medium2018.1Not applicableNot applicableTeamCityProject viewer could
affect details of some running builds. TW-54975Medium2018.1Not applicableNot
applicableTeamCityReflected XSS vulnerabilities on various pages. TW-55212,
TW-55213Medium2018.1Not applicableNot applicableTeamCityUser self-registration
might have been enabled by default on new server installation.
TW-54741Medium2017.2.4, 2018.1Not applicableNot applicableTeamCityPossible
vulnerability to ClickJacking attack from TeamCity UI. TW-33819Medium2017.2.4,
2018.1Not applicableNot applicableTeamCityProject viewer could bypass the "View
build runtime parameters and data" permission. TW-55502Low2018.1Not
applicableNot applicableTeamCityNetwork access to a server exposed a
vulnerability to DoS attacks. TW-11984Low2018.1Not applicableNot
applicableTeamCityPotential to pass authorization cookies without secure flags.
TW-55141Low2018.1Not applicableNot applicableUpSourceVulnerability to
ClickJacking attack. UP-9673Medium2018.1Not applicableNot
applicableUpSourcePossible privilege escalation during the configuration
process. BND-1154, BND-1579, UP-7359. Reported by Zhiyong Feng from Mobike
Security TeamLow2018.1Not applicableNot applicableYouTrackStored XSS
vulnerabilities from specific pages. JT-47824High2018.2.42881Not applicableNot
applicableYouTrackPotential for unauthorized users to view names of SSL keys.
JT-47685Low2018.2.42881Not applicableNot applicableYouTrackSwimlane
functionality allowed unauthorized changes to a limited number of issue
properties. JT-47125Low2018.2.42133Not applicableNot applicabledotTracedotTrace
allowed privilege escalation (PROF-668)Critical2017.1, 2017.2, 2017.3, 2018.1Not
applicableNot applicableHubLimitation of login attempts at hub.jetbrains.com was
disabled (JPS-7627)Low2018.1.9041Not applicableNot applicableHubIt was possible
to obtain a new access token for a banned user (JPS-7553)Low2017.4.8440Not
applicableNot applicableIntelliJ IDEAYourKit profiler port was available
externally in EAP builds for Linux (IDEA-184795)Low2018.1Not applicableNot
applicableJetBrains AccountPrivilege escalation was possible for JetBrains
Account activity log (JPF-7437)MediumNot applicableNot applicableNot
applicableJetBrains AccountValid password links might remain upon password reset
(JPF-7335)LowNot applicableNot applicableNot applicableTeamCityVCS preview
allowed XSS attack (TW-54027)Medium2017.2.3Not applicableNot
applicableTeamCityData Directory preview allowed XSS attack
(TW-54021)Low2017.2.3Not applicableNot applicableTeamCityvmWare plugin settings
allowed XSS attack (TW-53984)High2017.2.3Not applicableNot applicableTeamCityVCS
settings allowed XSS attack (TW-53943, TW-53978)High2017.2.3Not applicableNot
applicableTeamCityAuthentication bypass was possible with certain Windows server
configuration (TW-53507)Medium2017.2.2Not applicableNot
applicableTeamCityProject administrator could run arbitrary code
(TW-50054)High2017.2.2Not applicableNot applicableTeamCityBuild fields allowed
XSS attack (TW-53466)Medium2017.2.2Not applicableNot applicableTeamCityMultiple
XSS vulnerabilities (reported by Viktor Gazdag of NCC Group)
(TW-53442)High2017.2.2Not applicableNot applicableUpSourceMultiple XSS
vulnerabilities (Reported by Viktor Gazdag of NCC Group)
(UP-9606)Medium2017.3.2888Not applicableNot applicableYouTrackRSS feed allowed
unauthorized access to comments with certain configuration
(JT-46375)Medium2018.1.40341Not applicableNot applicableYouTrackREST API allowed
unauthorized access to attachments of hidden comments
(JT-46004)Medium2018.1.40341Not applicableNot applicableYouTrackRSS feed allowed
unauthorized access to issues list with certain configuration
(JT-46159)High2018.1.40066Not applicableNot applicableYouTrackCustom fields
allowed privilege escalation for guest user account
(JT-46115)Medium2018.1.40025Not applicableNot applicableYouTrackIssue linking
permission bypassing was available via "Create issue linked as..."
(JT-25321)Medium2017.4.39533Not applicableNot applicableYouTrackUnauthorized
access to issue content was possible even if guest user access was restricted in
the bundle installer (JT-45284)Low2017.4.39083Not applicableNot
applicableYouTrackActivity records for private fields were available to users
with read-only permissions (JT-45282)Medium2017.4.39083Not applicableNot
applicable

Product
Select item

Fix version
Select item



 * PRODUCTS
   
   * IDEs
   * .NET & Visual Studio
   * Team Tools
   * Plugins
   * Education
   * Languages
   * All products


 * SOLUTIONS
   
   * C++ Tools
   * Data Tools
   * DevOps
   * Education
   * Game Development
   * Software Development
   * Tools For Business
   * Quality Assurance


 * INITIATIVES
   
   * Kotlin
   * JetBrains Mono
   * JetBrains Research
   * Open Source Projects


 * COMMUNITY
   
   * Academic Licensing
   * Open Source Support
   * User Groups
   * Events Partnership
   * Developer Recognition


 * RESOURCES
   
   * Sales Support
   * Product Support
   * Licensing FAQ
   * Documentation
   * Early Access
   * Events and Webinars
   * Newsletters
   * Industry Reports
   * Blog
   * Desktop Art


 * COMPANY
   
   * About
   * Contacts
   * Careers
   * News
   * Customers & Awards
   * Our Commitment
   * Brand Assets
   * Partners and Resellers

GermanyEnglish
Privacy & SecurityTerms of UseTrademarksLegalGenuine Tools
Copyright © 2000-2022 JetBrains s.r.o.
Developed with drive and IntelliJ IDEA