I would like to view this page in

Datenschutz und Sicherheit

Behobene Sicherheitsprobleme

Diese Seite enthält Informationen zu behobenen Sicherheitsproblemen, einschließlich Beschreibung, Schweregrad, zugewiesener CVE und der Produktversion, in der das Problem behoben wurde.

ProduktBeschreibungSchweregradBehoben inCWECVE
TeamCityBase64 encoded password could be exposed in build log (TW-91934)Medium2025.03CWE-532CVE-2025-31139
TeamCityStored XSS was possible on Cloud Profiles page (TW-92117)Medium2025.03CWE-79CVE-2025-31140
TeamCityException could lead to credential leakage on Cloud Profiles page (TW-89110)Low2025.03CWE-209CVE-2025-31141
GoLandAn XXE during debugging was possible. Reported by Thanh Nguyen (GO-18010)Medium2025.1CWE-611CVE-2025-29932
JetBrains RuntimeArbitrary dynamic library execution due to insecure macOS flags was possible. Reported by Waleed Barakat of TikTok US Data Security (JBR-8138)Medium21.0.6b872.80CWE-426CVE-2025-29903
KtorHTTP Request Smuggling was possible. Reported by Jeppe Bonde Weikop (KTOR-8015)Medium3.1.1CWE-444CVE-2025-29904
TeamCitySeveral DOM-based XSS were possible on the Code Inspection Report tab (TW-87505)Medium2024.12.2CWE-79CVE-2025-26493
TeamCityImproper Kubernetes connection settings could expose sensitive resources (TW-91106)High2024.12.2CWE-522CVE-2025-26492
dotTraceLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High2024.3.4, 2024.2.8, 2024.1.7CWE-114CVE-2025-23385
ETW Host ServiceLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High16.43CWE-114CVE-2025-23385
ReSharperLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High2024.3.4, 2024.2.8, 2024.1.7CWE-114CVE-2025-23385
RiderLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High2024.3.4, 2024.2.8, 2024.1.7CWE-114CVE-2025-23385
HubPrivilege escalation was possible via LDAP authentication mapping. Reported by Pavel Supruniuk (HUB-12012)Medium2024.3.55417CWE-288CVE-2025-24456
TeamCityReflected XSS was possible on the Vault Connection page (TW-91124)Medium2024.12.1CWE-79CVE-2025-24459
TeamCityImproper access control allowed to see Projects’ names in the agent pool (TW-52375, TW-91367)Medium2024.12.1CWE-863CVE-2025-24460
TeamCityDecryption of connection secrets without proper permissions was possible via Test Connection endpoint (TW-91164)Medium2024.12.1CWE-862CVE-2025-24461
YouTrackPermanent tokens could be exposed in logs. Reported by Dmitriy Titarenko (JT-86763)Medium2024.3.55417CWE-532CVE-2025-24457
YouTrackAccount takeover was possible via spoofed email and Helpdesk integration (JT-85444)High2024.3.55417CWE-290CVE-2025-24458
TeamCityImproper access control allowed viewing details of unauthorized agents (TW-85841)Medium2024.12CWE-863CVE-2024-56348
TeamCityImproper access control allowed unauthorized users to modify build logs (TW-90726)Medium2024.12CWE-862CVE-2024-56349
TeamCityBuild credentials allowed unauthorized viewing of projects (TW-24904)Medium2024.12CWE-863CVE-2024-56350
TeamCityAccess tokens were not revoked after removing user roles (TW-76910)Medium2024.12CWE-613CVE-2024-56351
TeamCityStored XSS was possible via image name on the agent details page (TW-89485)Medium2024.12CWE-79CVE-2024-56352
TeamCityBackup file exposed user credentials and session cookies. Reported by Thomas Siegbert (TW-89719)Medium2024.12CWE-212CVE-2024-56353
TeamCityPassword field value were accessible to users with view settings permission (TW-49870)Medium2024.12CWE-522CVE-2024-56354
TeamCityMissing Content-Type header in RemoteBuildLogController response could lead to XSS (TW-80940)Medium2024.12CWE-79CVE-2024-56355
TeamCityInsecure XMLParser configuration could lead to potential XXE attack (TW-86582)Medium2024.12CWE-611CVE-2024-56356
YouTrackUnauthenticated database backup download was possible via vulnerable query parameter (JT-85385)Low2024.3.51866CWE-862CVE-2024-54153
YouTrackSystem takeover was possible through path traversal in plugin sandbox (JT-85298)High2024.3.51866CWE-23CVE-2024-54154
YouTrackImproper access control allowed listing of project names during app import without authentication. Reported by Tom Gionfriddo (JT-85830)Low2024.3.51866CWE-862CVE-2024-54155
YouTrackMultiple merge functions were vulnerable to prototype pollution attack (JT-85614)Medium2024.3.52635CWE-1321CVE-2024-54156
YouTrackPotential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector (JT-85443)Medium2024.3.52635CWE-1333CVE-2024-54157
YouTrackPotential spoofing attack was possible via lack of Punycode encoding (JT-85607)Low2024.3.52635CWE-173CVE-2024-54158
WebStormCode execution in Untrusted Project mode was possible via type definitions installer script. Reported by Ramast Magdy (WEB-69576)Medium2024.3CWE-349CVE-2024-52555
HubImproper access control allowed users to generate permanent tokens for unauthorized services (HUB-11932)Medium2024.3.47707CWE-862CVE-2024-50573
YouTrackPotential ReDoS exploit was possible via email header parsing in Helpdesk functionality (JT-85386)Medium2024.3.47707CWE-1333CVE-2024-50574
YouTrackReflected XSS was possible in Widget API (JT-85387)Medium2024.3.47707CWE-79CVE-2024-50575
YouTrackStored XSS was possible via vendor URL in App manifest (JT-85389)Medium2024.3.47707CWE-79CVE-2024-50576
YouTrackStored XSS was possible via Angular template injection in Hub settings (JT-85384)Medium2024.3.47707CWE-79CVE-2024-50577
YouTrackStored XSS was possible via sprint value on agile boards page (JT-85299)Medium2024.3.47707CWE-79CVE-2024-50578
YouTrackReflected XSS due to insecure link sanitization was possible (JT-85383)Medium2024.3.47707CWE-79CVE-2024-50579
YouTrackMultiple XSS were possible due to insecure markdown parsing and custom rendering rule (JT-85295)Medium2024.3.47707CWE-79CVE-2024-50580
YouTrackImproper HTML sanitization could lead to XSS attack via comment tag (JT-85296)Medium2024.3.47707CWE-79CVE-2024-50581
YouTrackStored XSS was possible due to improper HTML sanitization in markdown elements (JT-85297)Medium2024.3.47707CWE-79CVE-2024-50582
KtorImproper caching in HttpCache Plugin could lead to response information disclosure. Reported by Nils Barlaug (KTOR-7483)Medium2.3.13CWE-524CVE-2024-49580
YouTrackInsecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests (JT-85294)High2024.3.47197CWE-940CVE-2024-49579
YouTrackImproper access control allowed users with project update permission to delete applications via APIMedium2024.3.46677CWE-862CVE-2024-48902
TeamCityPassword could be exposed via Sonar runner REST API (TW-64557)Medium2024.07.3CWE-522CVE-2024-47161
TeamCityPath traversal leading to information disclosure was possible via server backups. Reported by Thomas Siegbert (TW-89721)Medium2024.07.3CWE-23CVE-2024-47948
TeamCityPath traversal allowed backup file write to arbitrary location. Reported by Thomas Siegbert (TW-89723)Medium2024.07.3CWE-23CVE-2024-47949
TeamCityStored XSS was possible in Backup configuration settings. Reported by Thomas Siegbert (TW-89700)Low2024.07.3CWE-79CVE-2024-47950
TeamCityStored XSS was possible via server global settings (TW-88983)Low2024.07.3CWE-79CVE-2024-47951
YouTrackUser without appropriate permissions could restore workflows attached to a project (JT-82431)Medium2024.3.44799CWE-863CVE-2024-47159
YouTrackAccess to global app config data without appropriate permissions was possible (JT-81376)Medium2024.3.44799CWE-863CVE-2024-47160
YouTrackToken could be revealed on Imports page (JT-82142)Medium2024.3.44799CWE-522CVE-2024-47162
IntelliJ IDEAHTML injection via the project name was possible (IJPL-8358)Low2024.1CWE-79CVE-2024-46970
TeamCityPossible privilege escalation due to incorrect directory permissions. Reported by Crispr Xiang from TianShu Dubhe Team (TW-87656)High2024.07.1CWE-276CVE-2024-43114
TeamCityMultiple stored XSS was possible on Clouds page (TW-85512)Medium2024.07.1CWE-79CVE-2024-43807
TeamCitySelf XSS was possible in the HashiCorp Vault plugin (TW-84492)Low2024.07.1CWE-79CVE-2024-43808
TeamCityReflected XSS was possible on the agentPushPreset page (TW-84016)Low2024.07.1CWE-79CVE-2024-43809
TeamCityReflected XSS was possible in the AWS Core plugin (TW-86958)Medium2024.07.1CWE-79CVE-2024-43810
TeamCityParameters of the "password" type could leak into the build log in some specific cases (TW-67957)Medium2024.07CWE-532CVE-2024-41824
TeamCityStored XSS was possible on the Code Inspection tab (TW-83483)Medium2024.07CWE-79CVE-2024-41825
TeamCityStored XSS was possible on Show Connection page (TW-86935)Low2024.07CWE-79CVE-2024-41826
TeamCityAccess tokens could continue working after deletion or expiration (TW-76857)High2024.07CWE-613CVE-2024-41827
TeamCityComparison of authorization tokens took non-constant time (TW-85815)Low2024.07CWE-208CVE-2024-41828
TeamCityAn OAuth code for JetBrains Space could be stolen via Space Application connection (TW-84124)Low2024.07CWE-303CVE-2024-41829
TeamCityPrivate key could be exposed via testing GitHub App Connection (TW-88255)Medium2024.03.3CWE-522CVE-2024-39878
TeamCityApplication token could be exposed in EC2 Cloud Profile settings (TW-88399)Medium2024.03.3CWE-522CVE-2024-39879
HubStored XSS via project description was possible. Reported by Krzysztof Kamiński (HUB-11601)Low2024.2.34646CWE-79CVE-2024-38507
YouTrackThe Guest User Account was enabled for attaching files to articles (JT-81902)Medium2024.2.34646CWE-862CVE-2024-38504
YouTrackUser access token was sent to the third-party site. Reported by Sergey Zotov (JT-81798)Medium2024.2.34646CWE-522CVE-2024-38505
YouTrackUser without appropriate permissions could enable the auto-attach option for workflows (JT-81214)Medium2024.2.34646CWE-862CVE-2024-38506
AquaGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2024.1.2CWE-522CVE-2024-37051
CLionGitHub access token could be exposed to third-party sites (IJPL-155883)Critical 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2CWE-522CVE-2024-37051
DataGripGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4CWE-522CVE-2024-37051
DataSpellGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1CWE-522CVE-2024-37051
GoLandGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3CWE-522CVE-2024-37051
IntelliJ IDEAGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3CWE-522CVE-2024-37051
MPSGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.2.1, 2023.3.1, 2024.1 EAP2CWE-522CVE-2024-37051
PhpStormGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3CWE-522CVE-2024-37051
PyCharmGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2CWE-522CVE-2024-37051
RiderGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3CWE-522CVE-2024-37051
RubyMineGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4CWE-522CVE-2024-37051
RustRoverGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2024.1.1CWE-522CVE-2024-37051
WebStormGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4CWE-522CVE-2024-37051
TeamCityPath traversal allowing to read files from server was possible (TW-87898)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2CWE-23CVE-2024-36362
TeamCitySeveral Stored XSS in code inspection reports were possible (TW-83495)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36363
TeamCityImproper access control in Pull Requests and Commit status publisher build features was possible (TW-84931)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-863CVE-2024-36364
TeamCityA third-party agent could impersonate a cloud agent (TW-87450)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2CWE-863CVE-2024-36365
TeamCityAn XSS could be executed via certain report grouping and filtering operations (TW-83893)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36366
TeamCityStored XSS via third-party reports was possible (TW-83270)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36367
TeamCityReflected XSS via OAuth provider configuration was possible (TW-83485)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36368
TeamCityStored XSS via issue tracker integration was possible (TW-83149)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36369
TeamCityStored XSS via OAuth connection settings was possible (TW-83658)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36370
TeamCityStored XSS in Commit status publisher was possible (TW-84958)Medium2023.05.6, 2023.11.5CWE-79CVE-2024-36371
TeamCityReflected XSS on the subscriptions page was possible (TW-83892)Medium2023.05.6CWE-79CVE-2024-36372
TeamCitySeveral stored XSS in untrusted builds settings were possible (TW-87421)Medium2024.03.2CWE-79CVE-2024-36373
TeamCityStored XSS via build step settings was possible (TW-87381)Medium2024.03.2CWE-79CVE-2024-36374
TeamCityTechnical information regarding TeamCity server could be exposed (TW-87468)Medium2024.03.2CWE-209CVE-2024-36375
TeamCityUsers could perform actions that should not be available to them based on their permissions (TW-83710)Medium2024.03.2CWE-863CVE-2024-36376
TeamCityCertain TeamCity API endpoints did not check user permissions (TW-83647)Medium2024.03.2CWE-863CVE-2024-36377
TeamCityServer was susceptible to DoS attacks with incorrect auth tokens (TW-87071)Medium2024.03.2CWE-770CVE-2024-36378
TeamCityAuthentication bypass was possible in specific edge cases even when the security patch plugin is intstalled (TW-86860)High2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-288CVE-2024-36470
TeamCitySeveral Stored XSS in the available updates page were possible (TW-87050)Low2024.03.1CWE-79CVE-2024-35300
TeamCityCommit status publisher didn't check project scope of the GitHub App token (TW-86523)Medium2024.03.1CWE-280CVE-2024-35301
TeamCityStored XSS during restore from backup was possible (TW-82309)Medium2023.11CWE-79CVE-2024-35302
YouTrackThe SMTPS protocol communication lacked proper certificate hostname validation. Reported by Yusuke Yamamoto (JT-80708)Medium2024.1.29548CWE-295CVE-2024-35299
TeamCityAuthenticated users without administrative permissions could register other users when self-registration was disabled (TW-87046)Medium2024.03CWE-863CVE-2024-31134
TeamCityOpen redirect was possible on the login page (TW-87062)Medium2024.03CWE-601CVE-2024-31135
TeamCity2FA could be bypassed by providing a special URL parameter (TW-86989)High2024.03CWE-1288CVE-2024-31136
TeamCityReflected XSS was possible via Space connection configuration. Reported by Linh Dinh (TW-86832)Medium2024.03CWE-79CVE-2024-31137
TeamCityXSS was possible via Agent Distribution settings. Reported by Alex Williams from Trend Micro (TW-86535)Medium2024.03CWE-79CVE-2024-31138
TeamCityXXE was possible in the Maven build steps detector (TW-86300)Medium2024.03CWE-611CVE-2024-31139
TeamCityServer administrators could remove arbitrary files from the server by installing tools (TW-86039)Medium2024.03CWE-1288CVE-2024-31140
TeamCityUsers with access to the agent machine might obtain permissions of the user running the agent process (TW-83048)Medium2023.11CWE-749CVE-2024-29880
YouTrackCreation comments on behalf of an arbitrary user in HelpDesk was possible (JT-79678, JT-79719)Medium2024.1.25893CWE-290CVE-2024-28228
YouTrackUser without appropriate permissions could restore issues and articles (JT-79924)Medium2024.1.25893CWE-863CVE-2024-28229
YouTrackAttaching/detaching workflow to a project was possible without project admin permissions (JT-79758)Medium2024.1.25893CWE-862CVE-2024-28230
TeamCityCustom build parameters of the "password" type could be disclosed (TW-86403)Medium2023.11.4CWE-201CVE-2024-28173
TeamCityPresigned URL generation requests in S3 Artifact Storage plugin were authorized improperly (TW-85562)Medium2023.11.4CWE-863CVE-2024-28174
TeamCityAuthentication bypass allowing to perform admin actions was possible. Reported by Rapid7 team (TW-86500)Critical2023.11.4CWE-288CVE-2024-27198
TeamCityPath traversal allowing to perform limited admin actions was possible. Reported by Rapid7 team (TW-86502)High2023.11.4CWE-23CVE-2024-27199
IntelliJ IDEAPath traversal was possible when unpacking archives (IDEA-339542)Low2023.3.3CWE-23CVE-2024-24940
IntelliJ IDEAA plugin for JetBrains Space was able to send an authentication token to an inappropriate URL (IDEA-337274)Medium2023.3.3CWE-20CVE-2024-24941
RiderLogging of environment variables containing secret values was possible (RIDER-103340)Low2023.3.3CWE-532CVE-2024-24939
TeamCityPath traversal allowed reading data within JAR archives. Reported by Sndav Bai and Crispr Xiang from TianShu Dubhe Team (TW-86017)Medium2023.11.3CWE-23CVE-2024-24942
TeamCityAuthentication bypass leading to RCE was possible. Reported by Sndav Bai and Crispr Xiang from TianShu Dubhe Team (TW-86005)Critical2023.11.3CWE-288CVE-2024-23917
Toolbox AppA DoS attack was possible via a malicious SVG image (TBX-9216)Medium2.2CWE-400CVE-2024-24943
TeamCityAccess control at the S3 Artifact Storage plugin endpoint was missed (TW-85499)Medium2023.11.2CWE-285CVE-2024-24936
TeamCityStored XSS via agent distribution was possible (TW-85880)Medium2023.11.2CWE-79CVE-2024-24937
TeamCityLimited directory traversal was possible in the Kotlin DSL documentation (TW-85585)Medium2023.11.2CWE-23CVE-2024-24938
YouTrackStored XSS via markdown was possible. Reported by Sergei Zotov (JT-78995)Medium2023.3.22666CWE-79CVE-2024-22370
IntelliJ IDEACode execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration (IDEA-320814)Medium2023.3.2CWE-349CVE-2023-51655
TeamCityA CSRF on login was possible (TW-84796)Medium2023.11.1CWE-352CVE-2023-50870
YouTrackAuthorization check for inline comments inside thread replies was missed (JT-78444)Medium2023.3.22268CWE-285CVE-2023-50871
KtorDefault configuration of ContentNegotiation with XML format was vulnerable to XXE. Reported by Ulf Karlsson (KTOR-6286, Pull Request)High2.3.5CWE-611CVE-2023-45612
KtorServer certificates were not verified (KTOR-6229, Pull Request)Medium2.3.5CWE-295CVE-2023-45613
TeamCityAuthentication bypass leading to RCE on TeamCity Server was possible. Reported by Stefan Schiller from Sonar (TW-83545)Critical2023.05.4CWE-288CVE-2023-42793
TeamCityStored XSS was possible during nodes configuration (TW-83216)Low2023.05.4CWE-79CVE-2023-43566
TeamCityStored XSS was possible during Cloud Profiles configuration (TW-82867, TW-82475)Medium2023.05.3CWE-79CVE-2023-41248
TeamCityReflected XSS was possible during copying Build Step (TW-82869)Medium2023.05.3CWE-79CVE-2023-41249
TeamCityReflected XSS was possible during user registration (TW-82876)Low2023.05.3CWE-79CVE-2023-41250
IntelliJ IDEAPlugin for Space was requesting excessive permissions (IDEA-321747)Medium2023.2CWE-250CVE-2023-39261
TeamCityA token with limited permissions could be used to gain full account access (TW-82485)Medium2023.05.2CWE-266CVE-2023-39173
TeamCityA ReDoS attack was possible via integration with issue trackers (TW-82283)Medium2023.05.2CWE-1333CVE-2023-39174
TeamCityReflected XSS via GitHub integration was possible (TW-82472)Medium2023.05.2CWE-79CVE-2023-39175
IntelliJ IDEALicense dialog could be suppressed in certain cases. Reported by Bilawal Imdad (IDEA-324171)Low2023.1.4CWE-754CVE-2023-38069
TeamCityStored XSS when using a custom theme was possible (TW-82270)Medium2023.05.1CWE-79CVE-2023-38061
TeamCityParameters of the "password" type could be shown in the UI in certain composite build configurations (TW-82022)Medium2023.05.1CWE-200CVE-2023-38062
TeamCityStored XSS while running custom builds was possible (TW-81723)Medium2023.05.1CWE-79CVE-2023-38063
TeamCityBuild chain parameters of the "password" type could be written to the agent log (TW-81846)Medium2023.05.1CWE-532CVE-2023-38064
TeamCityStored XSS while viewing the build log was possible (TW-81777)Medium2023.05.1CWE-79CVE-2023-38065
TeamCityReflected XSS via the Referer header was possible during artifact downloads (TW-80993)Medium2023.05.1CWE-79CVE-2023-38066
TeamCityBuild parameters of the "password" type could be written to the agent log (TW-80002)Medium2023.05.1CWE-532CVE-2023-38067
YouTrackCaptcha was not properly validated for Helpdesk forms (JT-75029)Medium2023.1.16597CWE-799CVE-2023-38068
YouTrackA DoS attack was possible via Helpdesk forms (JT-75136)High2023.1.10518CWE-400CVE-2023-35053
YouTrackStored XSS in a Markdown-rendering engine was possible (JT-75230)Medium2023.1.10518CWE-79CVE-2023-35054
KtorHeaders containing authentication data could be added to the exception's message (KTOR-5900, Pull Request)Low2.3.1CWE-209CVE-2023-34339
TeamCityBypass of permission checks allowing to perform admin actions was possible. Reported by Isaac Peka (TW-81566)Critical2023.05, 2022.10.4CWE-863CVE-2023-34218
TeamCityImproper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API. Reported by Olof Lindberg (TW-80538)Medium2023.05, 2022.10.4CWE-285CVE-2023-34219
TeamCityStored XSS in the Commit Status Publisher window was possible (TW-80262)Medium2023.05, 2022.10.4CWE-79CVE-2023-34220
TeamCityStored XSS in the Show Connection page was possible (TW-81182)Medium2023.05CWE-79CVE-2023-34221
TeamCityPossible XSS in the Plugin Vendor URL was possible (TW-80378)Medium2023.05CWE-79CVE-2023-34222
TeamCityParameters of the "password" type from build dependencies could be logged in some cases (TW-81338)Medium2023.05CWE-532CVE-2023-34223
TeamCityOpen redirect during oAuth configuration was possible (TW-79888)Medium2023.05CWE-601CVE-2023-34224
TeamCityStored XSS in the NuGet feed page was possible (TW-81031)Medium2023.05CWE-79CVE-2023-34225
TeamCityReflected XSS in the Subscriptions page was possible (TW-80881)Medium2023.05CWE-79CVE-2023-34226
TeamCityA specific endpoint was vulnerable to brute force attacks (TW-80842)Medium2023.05, 2022.10.4CWE-749CVE-2023-34227
TeamCityAuthentication checks were missing – 2FA was not checked for some sensitive account actions (TW-73544)Medium2023.05CWE-308CVE-2023-34228
TeamCityStored XSS in GitLab Connection page was possible (TW-80174)Medium2023.05, 2022.10.4CWE-79CVE-2023-34229
Toolbox AppA DYLIB injection on macOS was possible. Reported by Dimitrie-Toma Furdui (TBX-9047)Medium1.28CWE-691CVE-2022-48481
HubSSRF protection in Auth Module integration was missing (HUB-11380)Medium2023.1.15725CWE-918CVE-2022-48477
KtorPath traversal in the `resolveResource` method was possible. Reported by Vasco Franco (KTOR-5733, Pull Request)High2.3.0CWE-35CVE-2022-48476
PhpStormSource code could be logged in the local idea.log file (WI-71063)Low2023.1CWE-532CVE-2022-48435
IntelliJ IDEAFile content could be disclosed via an external stylesheet path in Markdown preview (IDEA-297583)Medium2023.1CWE-200CVE-2022-48430
IntelliJ IDEAIn some cases, Gradle and Maven projects could be imported without the “Trust Project” confirmation (IDEA-262839)Medium2023.1CWE-345CVE-2022-48431
IntelliJ IDEAThe bundled version of Chromium wasn't sandboxed (IDEA-284121)Medium2023.1CWE-1188CVE-2022-48432
IntelliJ IDEAThe NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server (IDEA-303249)Medium2023.1CWE-522CVE-2022-48433
HubReflected XSS in dashboards was possible (HUB-11421)Medium2022.3.15573, 2022.2.15572, 2022.1.15583CWE-79CVE-2022-48429
TeamCityStored XSS in Perforce connection settings was possible (TW-79891)Medium2022.10.3CWE-79CVE-2022-48426
TeamCityStored XSS on “Pending changes” and “Changes” tabs was possible (TW-80199)Medium2022.10.3CWE-79CVE-2022-48427
TeamCityStored XSS on the SSH keys page was possible (TW-80097)Medium2022.10.3CWE-79CVE-2022-48428
JetBrains MarketplaceThere was a stored XSS vulnerability in the list of suggested plugins (MP-4822)MediumNot applicableCWE-79Nicht anwendbar
JetBrains MarketplaceThrottling was not in place for comment creation. Reported by Keroles Magdy (MP-4857)LowNot applicableCWE-770Nicht anwendbar
JetBrains WebsiteSSRF leading to AWS metadata disclosure was possible. Reported by Peter Af Geijerstam (JS-17660)MediumNot applicableCWE-918Nicht anwendbar
JetBrains WebsiteServer version and stack trace were disclosed to unauthorized users (JS-16718)LowNot applicableCWE-209Nicht anwendbar
JetBrains WebsiteIt was possible to launch cookie bomb attacks, leading to DoS. Reported by Multansingh Medtiya (JS-17550)MediumNot applicableCWE-703Nicht anwendbar
JetBrains WebsiteThere was a reflected XSS vulnerability in the Space instance registration process. Reported by Rahul Karki (SPACE-17966)MediumNot applicableCWE-79Nicht anwendbar
SpaceThrottling was not in place for a password reset. Reported by Hasan Khan (SPACE-17349)LowNot applicableCWE-770Nicht anwendbar
TeamCityJVMTI was enabled by default on agents. Reported by Hj Chai (TW-78552)Medium2022.10.2CWE-1188CVE-2022-48342
TeamCityThere was an XSS vulnerability in the user creation process (TW-78783)Medium2022.10.2CWE-79CVE-2022-48343
TeamCityThere was an XSS vulnerability in the group creation process (TW-78786)Medium2022.10.2CWE-79CVE-2022-48344
JetBrains MarketplaceStored XSS in the list of plugin ideas (MP-4824) MediumNot applicableCWE-79Nicht anwendbar
JetBrains WebsiteReflected XSS in JetBrains Blog (JS-16355)MediumNot applicableCWE-79Nicht anwendbar
IntelliJ IDEAThe "Validate JSP File" action used the HTTP protocol to download required JAR files (IDEA-305732)Medium2022.3.1CWE-319CVE-2022-47895
IntelliJ IDEACode Templates were vulnerable to SSTI attacks. Reported by Krypton (IDEA-306345)Medium2022.3.1CWE-1336CVE-2022-47896
SpaceThe second authentication factor wasn't checked during the password reset. Reported by Bharat (SPACE-15087)MediumNot applicableCWE-304Nicht anwendbar
IntelliJ IDEAA buffer overflow in the fsnotifier daemon on macOS was possible (IDEA-302494)Medium2022.2.4CWE-120CVE-2022-46824
IntelliJ IDEAThe built-in web server leaked information about open projects (IDEA-297741)Medium2022.3CWE-200CVE-2022-46825
IntelliJ IDEAThe built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability (IDEA-304713)Medium2022.3CWE-35CVE-2022-46826
IntelliJ IDEAAn XXE attack leading to SSRF via requests to custom plugin repositories was possible (IDEA-302855)Low2022.3CWE-611CVE-2022-46827
IntelliJ IDEAA DYLIB injection on macOS was possible. Independently reported by Anthony Viriya and Kang Ali (IDEA-298179)Medium2022.3CWE-691CVE-2022-46828
JetBrains GatewayA client could connect without a valid token if the host consented (GTW-1786)High2022.3CWE-287CVE-2022-46829
SpaceProfiles were improperly added to random projects, including restricted onesMediumNot applicableCWE-668Nicht anwendbar
TeamCityA custom STS endpoint allowed internal port scanning (TW-78415)Medium2022.10.1CWE-918CVE-2022-46830
TeamCityConnecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators (TW-78416)Medium2022.10.1CWE-453CVE-2022-46831
HubThrottling was missed when sending emails to a particular email address. Reported by Keroles Magdy (HUB-11260)Low2022.3.15181CWE-770CVE-2022-45471
TeamCity CloudEBS storage objects were not encrypted (TCC-175)LowNot applicableCWE-311Nicht anwendbar
TeamCity CloudPasswords for agent user accounts built from the same image were not randomized (TCC-188)MediumNot applicableCWE-331Nicht anwendbar
TeamCityExcessive access permissions for secure token health items (TW-73518)Low2022.10CWE-284CVE-2022-44622
TeamCityProject Viewer could see scrambled secure values in the MetaRunner settings (TW-76796)Medium2022.10CWE-538CVE-2022-44623
TeamCityPassword parameters could be exposed in the build log if they contained special characters (TW-77048)Medium2022.10CWE-532CVE-2022-44624
TeamCityNo audit items were added upon editing a user's settings (TW-75537)Low2022.10CWE-223CVE-2022-44646
JetBrains AccountThrottling was missed on some pages. Reported by Manthan Mahale (JPF-13346)Low2022.09CWE-770Nicht anwendbar
TeamCityEnvironmental variables of "password" type could be logged when using custom Perforce executable. Reported by Pierre Hosteins and Yvan Serykh (TW-77474)Medium2022.04.4CWE-532CVE-2022-40979
JetBrains WebsiteOpen redirect on jetbrains.com.cn. Reported by Koutrouss Naddara (JS-17099)MediumNot applicableCWE-601Nicht anwendbar
IntelliJ IDEAThe installer was vulnerable to EXE search order hijacking. Reported by Dmitry Zemlyakov (IDEA-295424)High2022.2.2CWE-427CVE-2022-40978
JetBrains WebsiteThe JetBrains blog was vulnerable to CSS injection (JS-16353)LowNot applicableCWE-79Nicht anwendbar
KtorKtor was vulnerable to the Reflect File Download attack. Reported by Motoyasu Saburi (KTOR-4669, Pull Request)Medium2.1.0CWE-184CVE-2022-38179
KtorThe wrong authentication provider could be selected in some cases. Reported by Andrew Bryan (KTOR-4618, Pull Request)Medium2.1.0CWE-287CVE-2022-38180
TeamCityThe private SSH key could be written to the server log in some cases (TW-76758)Low2022.04.3CWE-532CVE-2022-38133
RiderTrust and Open Project dialog bypass, leading to local code execution (RIDER-74325, RIDER-74328)Medium2022.2CWE-94CVE-2022-37396
IntelliJ IDEALocal code execution was possible via a Vagrant executable (IDEA-288325)Low2022.2CWE-94CVE-2022-37009
IntelliJ IDEAMissing email address validation in the "Git User Name Is Not Defined" dialog. Reported by Carolos Foscolos (IDEA-291960)Low2022.2CWE-20CVE-2022-37010
TeamCityThe private SSH key could be written to the build log in some cases (TW-76651)Medium2022.04.2CWE-532CVE-2022-36321
TeamCityBuild parameter injection was possible. Reported by Micky Sung (TW-76356)Medium2022.04.2CWE-88CVE-2022-36322
HubInsufficient access control allowed the hijacking of untrusted services in Hub. Reported by Yurii Sanin (HUB-10771)Low2022.2.14799CWE-284CVE-2022-34894
JetBrains WebsitePotential XSS via Origin header. Reported by Nidhin Sabu (JPF-13063)LowNot applicableCWE-79Nicht anwendbar
KtorSHA1 implementation in Ktor Native was returning the same value (KTOR-4217, Pull Request)High2.0.1CWE-342CVE-2022-29930
TeamCityReflected XSS on the Build Chain Status page (TW-75231)Medium2022.04CWE-79CVE-2022-29927
TeamCityPossible leak of secrets in TeamCity agent logs (TW-74263, TW-68807)Medium2022.04CWE-532CVE-2022-29928
TeamCityPotential XSS via Referrer header (TW-75605)Low2022.04CWE-79CVE-2022-29929
HubStored XSS via project icon. Reported by Julian Muñoz (HUB-11155)Medium2022.1.14638CWE-79CVE-2022-29811
IntelliJ IDEAInsufficient notification about using Unicode directionality formatting characters (IDEA-284151)Low2022.1CWE-176CVE-2022-29812
IntelliJ IDEALocal code execution via custom Pandoc path (IDEA-288269)Medium2022.1CWE-94CVE-2022-29813
IntelliJ IDEALocal code execution via HTML descriptions in custom JSON schemas (IDEA-283967)Medium2022.1CWE-94CVE-2022-29814
IntelliJ IDEALocal code execution via workspace settings (IDEA-283824, IDEA-283968)Medium2022.1CWE-94CVE-2022-29815
IntelliJ IDEAHTML injection into IDE messages (IDEA-287428)Low2022.1CWE-74CVE-2022-29816
IntelliJ IDEAReflected XSS via error messages in internal web server (IDEA-283994)Low2022.1CWE-79CVE-2022-29817
IntelliJ IDEAFlawed origin checks in the internal web server (IDEA-283586)Low2022.1CWE-346CVE-2022-29818
IntelliJ IDEALocal code execution via links in Quick Documentation (IDEA-289398)Medium2022.1CWE-94CVE-2022-29819
PyCharmExposure of the debugger port to the internal network (PY-52288)Low2022.1CWE-1327CVE-2022-29820
RiderLocal code execution via links in ReSharper Quick Documentation (RIDER-74099)Medium2022.1CWE-94CVE-2022-29821
TeamCity CloudPotential disclosure of built-in OAuth2 connectors' secrets. Reported by Yurii Sanin (TCC-346)HighNot applicableCWE-522Nicht anwendbar
TeamCity CloudSession takeover via OAuth client manipulation. Reported by Yurii Sanin (TCC-347, TCC-349, TCC-351)HighNot applicableCWE-345Nicht anwendbar
TeamCity CloudSession takeover using open redirect misconfiguration. Reported by Yurii Sanin (TCC-348)HighNot applicableCWE-601Nicht anwendbar
TeamCity CloudVCS credentials disclosure via repository URL manipulation. Reported by Yurii Sanin (TCC-355, TCC-358)MediumNot applicableCWE-522Nicht anwendbar
KtorRandom values used for nonce generation in Ktor Native weren't using SecureRandom implementations. Reported by Dan Wallach (KTOR-3656, Pull Request)Low2.0.0CWE-330CVE-2022-29035
JetBrains AccountIt was possible to take over accounts linked to outlook.* email addresses via GitHub SSO. Reported by Adrian Weber (JPF-12877)Critical2022.04CWE-697Nicht anwendbar
IntelliJ IDEAIt was possible to get passwords from protected fields (IDEA-289085)High2021.3.3CWE-497CVE-2022-28651
YouTrackHTML code from the issue description was being rendered (JT-58282)Medium2022.1.43563CWE-80CVE-2022-28648
YouTrackIt was possible to include an iframe from a third-party domain in the issue description (JT-68626)Medium2022.1.43563CWE-1021CVE-2022-28649
YouTrackIt was possible to inject JavaScript into Markdown in the YouTrack Classic UI (JT-68622)High2022.1.43700CWE-79CVE-2022-28650
HubBlind Server-Side Request Forgery (SSRF). Reported by Yurii Sanin (HUB-11052)Medium2021.1.14276CWE-918CVE-2022-25260
HubReflected XSS. Reported by Yurii Sanin (HUB-10971)Medium2021.1.14276CWE-79CVE-2022-25259
HubSAML request takeover. Reported by Yurii Sanin (HUB-10978)High2022.1.14434CWE-345CVE-2022-25262
JetBrains BlogReflected XSS via tag parameter (BLOG-55)MediumNot applicableCWE-79Nicht anwendbar
JetBrains MarketplaceStored XSS via plugin fields (MP-4190, MP-4191, MP-4192, MP-4196, MP-4201)MediumNot applicableCWE-79Nicht anwendbar
Kotlin WebsiteClickjacking at talkingkotlin.com (KTL-84)LowNot applicableCWE-1021Nicht anwendbar
TeamCityReflected XSS (TW-74044)Medium2021.2.2CWE-79CVE-2022-25261
TeamCityOS command injection in the Agent Push feature configuration. Reported by Cristian Chavez (TW-74822)High2021.2.3CWE-78CVE-2022-25263
TeamCityEnvironmental variables of "password" type could be logged in some cases (TW-74625)Medium2021.2.3CWE-532CVE-2022-25264
YouTrackSSTI via FreeMarker templates. Reported by Matei "Mal" Badanoiu (JT-68075)High2021.4.40426CWE-1336CVE-2022-24442
HubJetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958)High2021.1.13890CWE-732CVE-2022-24327
HubAn unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976)High2021.1.13956CWE-74CVE-2022-24328
IntelliJ IDEACode could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917)Medium2021.2.4CWE-345CVE-2022-24345
IntelliJ IDEAPotential LCE via RLO (Right-to-Left Override) characters (IDEA-284150)Medium2021.3.1CWE-176CVE-2022-24346
JetBrains BlogBlind SQL injection. Reported by Khan Janny (BLOG-45)MediumNot applicableCWE-89Nicht anwendbar
KotlinNo ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449)Medium1.6.0CWE-667CVE-2022-24329
Kotlin WebsiteClickjacking at kotlinlang.org (KTL-588)MediumNot applicableCWE-1021Nicht anwendbar
Remote DevelopmentUnexpected open port on backend server. Reported by Damian Gwiżdż (GTW-894)High2021.3.1CWE-1327CVE-2021-45977
SpaceMissing permission check in an HTTP API response (SPACE-15991)HighNot applicableCWE-284Nicht anwendbar
TeamCityA redirect to an external site was possible (TW-71113)Low2021.2.1CWE-601CVE-2022-24330
TeamCityLogout failed to remove the "Remember Me" cookie (TW-72969)Low2021.2CWE-613CVE-2022-24332
TeamCityGitLab authentication impersonation. Reported by Christian Pedersen (TW-73375)High2021.1.4CWE-285CVE-2022-24331
TeamCityThe "Agent push" feature allowed any private key on the server to be selected (TW-73399)Low2021.2.1CWE-284CVE-2022-24334
TeamCityBlind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465)Medium2021.2CWE-918CVE-2022-24333
TeamCityTime-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468)High2021.2CWE-367CVE-2022-24335
TeamCityAn unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469)Medium2021.2.1CWE-284CVE-2022-24336
TeamCityPull-requests' health items were shown to users without appropriate permissions (TW-73516)Low2021.2CWE-284CVE-2022-24337
TeamCityStored XSS. Reported by Yurii Sanin (TW-73737)Medium2021.2.1CWE-79CVE-2022-24339
TeamCityURL injection leading to CSRF. Reported by Yurii Sanin (TW-73859)Medium2021.2.1CWE-352CVE-2022-24342
TeamCityChanging a password failed to terminate sessions of the edited user (TW-73888)Low2021.2.1CWE-613CVE-2022-24341
TeamCityXXE during the parsing of a configuration file (TW-73932)Medium2021.2.1CWE-611CVE-2022-24340
TeamCityReflected XSS (TW-74043)Medium2021.2.1CWE-79CVE-2022-24338
YouTrackStored XSS on the Notification templates page (JT-65752)Low2021.4.31698CWE-79CVE-2022-24344
YouTrackA custom logo could be set with read-only permissions (JT-66214)Low2021.4.31698CWE-284CVE-2022-24343
YouTrackStored XSS via project icon. Reported by Yurii Sanin (JT-67176)Medium2021.4.36872CWE-79CVE-2022-24347
DataloreServer version disclosure. Reported by Bharat (DL-9447)Low2021.3CWE-209Nicht anwendbar
HubInformation disclosure via avatars metadata (HUB-10154)Low2021.1.13690CWE-200CVE-2021-43180
HubPotential DOS via user information. Reported by Bharat (HUB-10804)Low2021.1.13415CWE-20CVE-2021-43182
HubStored XSS. Reported by Dmitry Sherstoboev (HUB-10854)Medium2021.1.13690CWE-79CVE-2021-43181
HubAuthentication throttling mechanism could be bypassed. Reported by Bharat (HUB-10869)Medium2021.1.13690CWE-180CVE-2021-43183
JetBrains AccountAuthentication throttling mechanism could be bypassed. Reported by Bharat (JPF-11933)Medium2021.07CWE-180Nicht anwendbar
KtorImproper nonce verification during OAuth2 authentication process. Reported by Ole Schilling Tjensvold (KTOR-3091)Medium1.6.4CWE-303CVE-2021-43203
SpaceAuthentication throttling mechanism could be bypassed. Reported by Bharat (SPACE-15282)LowNot applicableCWE-180Nicht anwendbar
SpaceSSRF disclosing EC2 metadata (SPACE-15666)HighNot applicableCWE-918Nicht anwendbar
TeamCityUser enumeration was possible (TW-70167)Low2021.1.2CWE-200CVE-2021-43194
TeamCityRCE in agent push functionality. Reported by Eduardo Castellanos (TW-70384)High2021.1.2CWE-78CVE-2021-43193
TeamCityInformation disclosure via Docker Registry connection dialog (TW-70459)Medium2021.1CWE-200CVE-2021-43196
TeamCitySome HTTP Security Headers were missed (TW-71376)Low2021.1.2CWE-693CVE-2021-43195
TeamCityEmail notifications could include unescaped HTML (TW-71981)Low2021.1.2CWE-116CVE-2021-43197
TeamCityInsufficient permissions checks in create patch functionality (TW-71982)Low2021.1.2CWE-285CVE-2021-43199
TeamCityStored XSS (TW-72007)Low2021.1.2CWE-79CVE-2021-43198
TeamCityInsufficient permissions checks in agent push functionality (TW-72177)Low2021.1.2CWE-285CVE-2021-43200
TeamCityX-Frame-Options Header was missed in some cases (TW-72464)Low2021.1.3CWE-693CVE-2021-43202
TeamCityA newly created project could take settings from already deleted project (TW-72521)Medium2021.1.3CWE-459CVE-2021-43201
TeamCity CloudSession takeover using open redirect in OAuth integration. Reported by Yurii Sanin (TCC-277)HighNot applicableCWE-601Nicht anwendbar
YouTrackStored XSS (JT-63483)Low2021.3.21051CWE-79CVE-2021-43184
YouTrackHost header injection. Reported by Artem Ivanov (JT-65590)Medium2021.3.23639CWE-601CVE-2021-43185
YouTrackStored XSS. Reported by Artem Ivanov (JT-65749)High2021.3.24402CWE-79CVE-2021-43186
YouTrack InCloudUnsafe EC2 configuration in YouTrack InCloud (JT-63693, JT-63695)LowNot applicableCWE-16Nicht anwendbar
YouTrack MobileClient-side caching on iOS (YTM-12961)Low2021.2CWE-524CVE-2021-43187
YouTrack MobileIncomplete access tokens protection in iOS (YTM-12962, YTM-12965, YTM-12966)Low2021.2CWE-311CVE-2021-43188
YouTrack MobileIncomplete access tokens protection in Android (YTM-12964)Low2021.2CWE-311CVE-2021-43189
YouTrack MobileTask Hijacking in Android (YTM-12967)Low2021.2CWE-287CVE-2021-43190
YouTrack MobileiOS URL Scheme hijacking (YTM-12968)Low2021.2CWE-287CVE-2021-43192
YouTrack MobileMissing Security Screen on Android & iOS (YTM-12969)Low2021.2CWE-287CVE-2021-43191
DatalorePotential JWT token takeover using redirect misconfiguration. Reported by Yurii Sanin (DL-9225, JPF-11801)High0.2.2CWE-601Nicht anwendbar
DataloreThere was no way to drop all active sessions. Reported by Bharat (DL-9247)High0.3.0CWE-613Nicht anwendbar
HubPotentially insufficient CSP for Widget deployment feature (JPS-10736)Low2021.1.13262CWE-1021CVE-2021-37540
HubAccount takeover was possible during password reset. Reported by Viet Nguyen Quoc (JPS-10767)High2021.1.13402CWE-601CVE-2021-36209
HubHTML injection in the password reset email was possible. Reported by Bharat (JPS-10797)Medium2021.1.13402CWE-79CVE-2021-37541
JetBrains AccountOTP could be used several times after the successful validation (JPF-11119)Low2021.04CWE-358Nicht anwendbar
JetBrains AccountPotential account takeover via OAuth integration. Reported by Bharat (JPF-11802)High2021.06CWE-918Nicht anwendbar
JetBrains WebsiteReflected XSS on jetbrains.com. Reported by Vasu Solanki (JS-14004)LowNot applicableCWE-79Nicht anwendbar
RubyMineCode execution without user confirmation was possible for untrusted projects (RUBY-27702)Medium2021.1.1CWE-345CVE-2021-37543
SpaceDeprecated organization-wide package repositories were publicly visible (SPACE-14151)HighNot applicableCWE-284Nicht anwendbar
TeamCityPotential XSS (TW-61688)High2020.2.3CWE-79CVE-2021-37542
TeamCityInsecure deserialization (TW-70057, TW-70080)High2020.2.4CWE-502CVE-2021-37544
TeamCityInsufficient authentication checks for agent requests (TW-70166)High2021.1.1CWE-287CVE-2021-37545
TeamCityInsecure key generation for encrypted properties (TW-70201)Low2021.1CWE-335CVE-2021-37546
TeamCityInsufficient checks during file uploading (TW-70546)Medium2020.2.4CWE-434CVE-2021-37547
TeamCityPasswords in plain text sometimes could be stored in VCS (TW-71008)Medium2021.1CWE-540CVE-2021-37548
YouTrackInsufficient sandboxing in workflows (JT-63222, JT-63254)Critical2021.1.11111CWE-648CVE-2021-37549
YouTrackTime-unsafe comparisons were used (JT-63697)Low2021.2.16363CWE-208CVE-2021-37550
YouTrackSystem user passwords were hashed with SHA-256 (JT-63698)Low2021.2.16363CWE-916CVE-2021-37551
YouTrackInsecure PRNG was used (JT-63699)Low2021.2.16363CWE-338CVE-2021-37553
YouTrackStored XSS (JT-64564)Medium2021.2.17925CWE-79CVE-2021-37552
YouTrackUser could see boards without having corresponding permissions (JT-64634)Low2021.3.21051CWE-284CVE-2021-37554
YouTrack InCloudReflected XSS on konnector service in Firefox (JT-63702)LowNot applicableCWE-79Nicht anwendbar
Code With MeClient could execute code in read-only mode (CWM-1235)MediumCompatible IDEs 2021.1 versionCWE-285CVE-2021-31899
Code With MeClient could open browser on host (CWM-1769)LowCompatible IDEs 2021.1 versionCWE-285CVE-2021-31900
Exception AnalyzerNo throttling at Exception Analyzer login page. Reported by Ashhad Ali (EXA-760)LowNot applicableCWE-799Nicht anwendbar
HubTwo-factor authentication wasn't enabled properly for "All Users" group (JPS-10694)Low2021.1.13079CWE-304CVE-2021-31901
IntelliJ IDEAXXE in License server functionality (IDEA-260143)High2020.3.3CWE-611CVE-2021-30006
IntelliJ IDEACode execution without user confirmation was possible for untrusted projects (IDEA-260911, IDEA-260912, IDEA-260913, IDEA-261846, IDEA-261851, IDEA-262917, IDEA-263981, IDEA-264782)Medium2020.3.3CWE-345CVE-2021-29263
IntelliJ IDEAPossible DoS. Reported by Arun Malik (IDEA-261832)Medium2021.1CWE-770CVE-2021-30504
JetBrains AcademyPotential takeover of a future account with a known email. Reported by Vansh Devgan (JBA-110)LowNot applicableCWE-285Nicht anwendbar
JetBrains AccountSensitive account URLs were shared with third parties. Reported by Vikram Naidu (JPF-11338)High2021.02CWE-201Nicht anwendbar
JetBrains WebsiteReflected XSS at blog.jetbrains.com. Reported by Peter Af Geijerstam and Jai Kumar (JS-14554, JS-14562)LowNot applicableCWE-79Nicht anwendbar
PyCharmCode execution without user confirmation was possible for untrusted projects. Reported by Tony Torralba (PY-41524)Medium2020.3.4CWE-345CVE-2021-30005
SpaceInsufficient CRLF sanitization in user input (SPACE-13955)LowNot applicableCWE-93Nicht anwendbar
TeamCityPotential XSS on the test history page (TW-67710)Medium2020.2.2CWE-79CVE-2021-31904
TeamCityTeamCity IntelliJ Plugin DOS. Reported by Jonathan Leitschuh (TW-69070)Low2020.2.2CWE-770CVE-2021-26310
TeamCityLocal information disclosure via temporary file in TeamCity IntelliJ Plugin. Reported by Jonathan Leitschuh (TW-69420)Low2020.2.2CWE-378CVE-2021-26309
TeamCityInsufficient audit when an administrator uploads a file (TW-69511)Low2020.2.2CWE-778CVE-2021-31906
TeamCityImproper permission checks for changing TeamCity plugins (TW-69521)Low2020.2.2CWE-732CVE-2021-31907
TeamCityPotential XSS on the test page. Reported by Stephen Patches (TW-69737)Low2020.2.2CWE-79CVE-2021-3315
TeamCityArgument Injection leading to RCE (TW-70054)High2020.2.3CWE-78CVE-2021-31909
TeamCityStored XSS on several pages (TW-70078, TW-70348)Medium2020.2.3CWE-79CVE-2021-31908
TeamCityInformation disclosure via SSRF (TW-70079)High2020.2.3CWE-918CVE-2021-31910
TeamCityReflected XSS on several pages (TW-70093, TW-70094, TW-70095, TW-70096, TW-70137)Medium2020.2.3CWE-79CVE-2021-31911
TeamCityPotential account takeover during password reset (TW-70303)Medium2020.2.3CWE-640CVE-2021-31912
TeamCityInsufficient checks of the redirect_uri during GitHub SSO token exchange (TW-70358)Low2020.2.3CWE-601CVE-2021-31913
TeamCityArbitrary code execution on TeamCity Server running on Windows. Reported by Chris Moore (TW-70512)High2020.2.4CWE-829CVE-2021-31914
TeamCityCommand injection leading to RCE. Reported by Chris Moore (TW-70541)High2020.2.4CWE-78CVE-2021-31915
TeamCity CloudPotential information disclosure via EC2 instance metadata (TCC-174, TCC-176)LowNot applicableCWE-1230Nicht anwendbar
TeamCity CloudTemporary credentials disclosure via command injection. Reported by Chris Moore (TCC-196)HighNot applicableCWE-78Nicht anwendbar
UpSourceApplication passwords were not revoked correctly. Reported by Thibaut Zonca (UP-10843)High2020.1.1883CWE-459CVE-2021-30482
WebStormHTTP requests were used instead of HTTPS (WEB-49549)Low2021.1CWE-295CVE-2021-31898
WebStormCode execution without user confirmation was possible for untrusted projects (WEB-49689, WEB-49902)Low2021.1CWE-345CVE-2021-31897
YouTrackStored XSS via attached file. Reported by Mikhail Klyuchnikov (JT-62530)Medium2020.6.6441CWE-79CVE-2021-27733
YouTrackPull request title was sanitized insufficiently (JT-62556)Medium2021.1.9819CWE-79CVE-2021-31903
YouTrackImproper access control during exporting issues (JT-62649)High2020.6.6600CWE-284CVE-2021-31902
YouTrackInformation disclosure in issue preview (JT-62919)High2020.6.8801CWE-200CVE-2021-31905
Code With MeAn attacker in the local network knowing session id could get access to the encrypted traffic. Reported by Grigorii Liullin (CWM-1067)Low2020.3Nicht anwendbarCVE-2021-25755
DataloreServer components versions were disclosed (DL-8327, DL-8335)Low0.0.1CWE-200Nicht anwendbar
Exception AnalyzerInformation disclosure via Exceptions Analyzer (SDP-1248)LowNot applicableCWE-200Nicht anwendbar
HubOpen-redirect was possible. Reported by Mohammed Amine El Attar (JPS-10348)Medium2020.1.12629Nicht anwendbarCVE-2021-25757
HubAuthorized user can delete 2FA settings of any other user (JPS-10410)Medium2020.1.12629Nicht anwendbarCVE-2021-25759
HubInformation disclosure via public API (JPS-10481)Low2020.1.12669Nicht anwendbarCVE-2021-25760
IntelliJ IDEAHTTP links were used for several remote repositories (IDEA-228726)Low2020.2Nicht anwendbarCVE-2021-25756
IntelliJ IDEAPotentially insecure deserialization of the workspace model (IDEA-253582)Low2020.3Nicht anwendbarCVE-2021-25758
JetBrains AccountAuthorization token was sent as a query parameter within Zendesk integration (JPF-10508)Low2020.11CWE-598Nicht anwendbar
JetBrains AccountOpen-redirect was possible (JPF-10660)Low2020.10CWE-601Nicht anwendbar
JetBrains WebsiteCross-origin resource sharing was possible. Reported by Ashhad Ali (SDP-1193)LowNot applicableCWE-942Nicht anwendbar
JetBrains WebsiteThrottling was not used for the particular endpoint. Reported by Ashhad Ali (SDP-1197)LowNot applicableCWE-799Nicht anwendbar
JetBrains WebsiteClickjacking was possible. Reported by Ashhad Ali (SDP-1203)LowNot applicableCWE-1021Nicht anwendbar
KotlinVulnerable Java API was used for temporary files and folders creation, which could make temporary files available for other users of a system. Reported by Jonathan Leitschuh (KT-42181)Low1.4.21Nicht anwendbarCVE-2020-29582
KtorBirthday attack on SessionStorage key was possible. Reported by Kenta Koyama (KTOR-878)Low1.5.0Nicht anwendbarCVE-2021-25761
KtorWeak cipher suites were enabled by default. Reported by Johannes Ulfkjær Jensen (KTOR-895)Low1.4.2Nicht anwendbarCVE-2021-25763
KtorHTTP Request Smuggling was possible. Reported by ZeddYu Lu, Kaiwen Shen, Yaru Yang (KTOR-1116)Low1.4.3Nicht anwendbarCVE-2021-25762
PhpStormSource code could be added to debug logs (WI-54619)Low2020.3Nicht anwendbarCVE-2021-25764
SpacePotential information disclosure via logs (SPACE-9343, SPACE-10969)LowNot applicableCWE-532Nicht anwendbar
SpaceAn attacker could obtain limited information via SSRF in repository mirroring test connection (SPACE-9514)HighNot applicableCWE-918Nicht anwendbar
SpaceContent-Type header wasn't set for some pages (SPACE-12004)LowNot applicableCWE-531Nicht anwendbar
SpaceREST API endpoint was available without appropriate permissions check, which could introduce a potential DOS vector (no real exploit available). (SPACE-12288)LowNot applicableCWE-732Nicht anwendbar
TeamCityReflected XSS on several pages (TW-67424, TW-68098)Medium2020.2Nicht anwendbarCVE-2021-25773
TeamCityTeamCity server DoS was possible via server integration (TW-68406, TW-68780)Low2020.2.2Nicht anwendbarCVE-2021-25772
TeamCityECR token exposure in the build's parameters (TW-68515)Medium2020.2Nicht anwendbarCVE-2021-25776
TeamCityUser could get access to GitHub access token of another user (TW-68646)Low2020.2.1Nicht anwendbarCVE-2021-25774
TeamCityServer admin could create and see access tokens for any other users (TW-68862)Low2020.2.1Nicht anwendbarCVE-2021-25775
TeamCityImproper permissions checks during user deletion (TW-68864)Low2020.2.1Nicht anwendbarCVE-2021-25778
TeamCityImproper permissions checks during tokens removal (TW-68871)Low2020.2.1Nicht anwendbarCVE-2021-25777
TeamCityTeamCity Plugin SSRF. Vulnerability that could potentially expose user credentials. Reported by Jonathan Leitschuh (TW-69068)High2020.2.85695Nicht anwendbarCVE-2020-35667
YouTrackCSRF via attachment upload. Reported by Yurii Sanin (JT-58157)Medium2020.4.4701Nicht anwendbarCVE-2021-25765
YouTrackUsers enumeration via REST API without appropriate permissions (JT-59396, JT-59498)Low2020.4.4701Nicht anwendbarCVE-2020-25208
YouTrackImproper resource access checks (JT-59397)Low2020.4.4701Nicht anwendbarCVE-2021-25766
YouTrackIssue's existence disclosure via the YouTrack command execution (JT-59663)Low2020.6.1767Nicht anwendbarCVE-2021-25767
YouTrackImproper permissions checks for the attachments actions (JT-59900)Low2020.4.4701Nicht anwendbarCVE-2021-25768
YouTrackYouTrack admin wasn't able to access attachments (JT-60824)Low2020.4.6808Nicht anwendbarCVE-2021-25769
YouTrackServer-side template injection in the YouTrack Cloud. Reported by Vasily Vasilkov (JT-61449)High2020.5.3123Nicht anwendbarCVE-2021-25770
YouTrackProject information disclosure (JT-61566)Low2020.6.1099Nicht anwendbarCVE-2021-25771
IdeaVimIn limited circumstances, IdeaVim might have caused information leak (VIM-2019)High0.58Nicht anwendbarCVE-2020-27623
IntelliJ IDEABuilt-in web server could expose information about IDE version (IDEA-240567)Low2020.2Nicht anwendbarCVE-2020-27622
JetBrains AccountImproper rate limit. Reported by Ashhad Ali (JPF-11026)Low2020.09CWE-799Nicht anwendbar
JetBrains AccountPassword reset token might be disclosed to a third party. Reported by Sheikh Rishad (JPF-11034)Low2020.10CWE-201Nicht anwendbar
JetBrains MarketplaceBlind SSRF. Reported by Yurii Sanin (MP-3119)HighNot applicableCWE-918Nicht anwendbar
JetBrains WebsiteReflected XSS. Reported by Peter af Geijerstam (JS-13032)MediumNot applicableCWE-79Nicht anwendbar
JetBrains WebsiteHTML injection was possible on several pages (JS-13041)MediumNot applicableCWE-79Nicht anwendbar
JetBrains WebsiteClickjacking was possible on several pages (JS-13042)LowNot applicableCWE-1021Nicht anwendbar
JetBrains WebsiteSSRF on the website. Reported by Mohamed Lahraoui (SDP-1174)LowNot applicableCWE-918Nicht anwendbar
KtorHTTP request smuggling was possible. Reported by ZeddYu Lu and Kaiwen Shen (KTOR-841)Medium1.4.1Nicht anwendbarCVE-2020-26129
SpaceUnauthorized access to environment variables containing private data (SPACE-10723)MediumNot applicableCWE-532Nicht anwendbar
TeamCityURL injection was possible (TW-44171)Low2020.1.2Nicht anwendbarCVE-2020-27627
TeamCityGuest user had access to audit records (TW-67750)Medium2020.1.5Nicht anwendbarCVE-2020-27628
TeamCitySecure dependency parameters could be not masked in depending builds when there are no internal artifacts (TW-67775)High2020.1.5Nicht anwendbarCVE-2020-27629
Toolbox AppLimited RCE via jetbrains protocol handler. Reported by Jeffrey van Gogh and Yuriy Solodkyy (SDP-1177)Low1.18Nicht anwendbarCVE-2020-25207
Toolbox AppDenial of service via jetbrains protocol handler (TBX-5281)Low1.18.7455Nicht anwendbarCVE-2020-25013
YouTrackBlind SSRF. Reported by Yurii Sanin (JT-58015)Low2020.3.888Nicht anwendbarCVE-2020-27624
YouTrackNotifications might have mentioned inaccessible issues (JT-58329)Low2020.3.888Nicht anwendbarCVE-2020-27625
YouTrackSSRF in YouTrack InCloud. Reported by Yurii Sanin (JT-58962)Medium2020.3.5333Nicht anwendbarCVE-2020-27626
YouTrackImproper access control allowed retrieving issue description without appropriate access. Reported by Yurii Sanin (JT-59015)Critical2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.3.65516, 2019.2.65515, 2019.1.65514Nicht anwendbarCVE-2020-24618
YouTrackImproper access control for some subresources leads to information disclosure. Reported by Yurii Sanin (JT-59130)Medium2020.3.6638Nicht anwendbarCVE-2020-25209
YouTrackAn attacker could access workflow rules without appropriate access grants (JT-59474)High2020.3.7955Nicht anwendbarCVE-2020-25210
YouTrack MobileInformation disclosure via application backups. Reported by Cristi Vlad (YTM-5518)Low2020.2.0Nicht anwendbarCVE-2020-24366
DataloreStack trace disclosure. (DL-7350)Low0.0.1CWE-536Nicht anwendbar
DataloreReverse tabnabbing was possible. (DL-7708)Low0.0.1CWE-1022Nicht anwendbar
JetBrains AccountMissed throttling for reset password functionality in case of 2FA enabled. Reported by Manu Pranav. (JPF-10527)Medium2020.06CWE-799Nicht anwendbar
JetBrains WebsiteStack trace disclosure in case of incorrect character in request. (JS-12490)LowNot applicableCWE-536Nicht anwendbar
JetBrains WebsiteReflected XSS on jetbrains.com subdomain. Reported by Ritik Chaddha. (JS-12562)LowNot applicableCWE-79Nicht anwendbar
JetBrains WebsiteOpen-redirect issues on kotlinconf.com. Reported by Ritik Chaddha. (JS-12581)LowNot applicableCWE-601Nicht anwendbar
JetBrains WebsiteClickjacking was possible at a non-existent page. Reported by Pravas Ranjan Kanungo. (JS-12835)LowNot applicableCWE-1021Nicht anwendbar
KotlinScript cache privilege escalation vulnerability. Reported by Henrik Tunedal. (KT-38222)Medium1.4.0Nicht anwendbarCVE-2020-15824
SpaceDraft title was disclosed to a user without access to the draft. (SPACE-5594)LowNot applicableCWE-200Nicht anwendbar
SpaceMissing authorisation check caused privilege escalation. Reported by Callum Carney. (SPACE-8034)HighNot applicableCWE-266Nicht anwendbar
SpaceBlind SSRF via calendar import. Reported by Yurii Sanin. (SPACE-8273)MediumNot applicableCWE-918Nicht anwendbar
SpaceThe drafts of the direct messages sent from iOS app could be sent to the channel. (SPACE-8377)LowNot applicableCWE-200Nicht anwendbar
SpaceChat messages are propagated to the browser console. (SPACE-8386)HighNot applicableCWE-215Nicht anwendbar
SpaceMissed authentication checks in Space Automation. (SPACE-8431)CriticalNot applicableCWE-306Nicht anwendbar
SpaceMissed authentication checks in Job related API. (SPACE-8822)LowNot applicableCWE-306Nicht anwendbar
SpaceIncorrect checks of public key content. (SPACE-9169)MediumNot applicableCWE-287Nicht anwendbar
SpaceStored XSS via repository resource. (SPACE-9277)HighNot applicableCWE-79Nicht anwendbar
TeamCityUsers were able to assign more permissions than they had. (TW-36158)Low2020.1Nicht anwendbarCVE-2020-15826
TeamCityUsers with "Modify group" permission can elevate other users privileges. (TW-58858)Medium2020.1Nicht anwendbarCVE-2020-15825
TeamCityPassword parameters could be disclosed via build logs. (TW-64484)Low2019.2.3Nicht anwendbarCVE-2020-15829
TeamCityProject parameter values could be retrieved by a user without appropriate permissions. (TW-64587)High2020.1.1Nicht anwendbarCVE-2020-15828
TeamCityReflected XSS on administration UI. (TW-64668)High2019.2.3Nicht anwendbarCVE-2020-15831
TeamCityStored XSS on administration UI. (TW-64699)High2019.2.3Nicht anwendbarCVE-2020-15830
Toolbox AppMissed signature on "jetbrains-toolbox.exe". (TBX-4671)Low1.17.6856Nicht anwendbarCVE-2020-15827
UpSourceUnauthorised access was possible through error in accounts linking. (SDP-940)Low2020.1Nicht anwendbarCVE-2019-19704
YouTrackSubtasks workflow could disclose issue existence. (JT-45316)Low2020.2.8527Nicht anwendbarCVE-2020-15818
YouTrackAn external user could execute commands against arbitrary issues. (JT-56848)High2020.1.1331Nicht anwendbarCVE-2020-15817
YouTrackSSRF vulnerability that allowed scanning internal ports. Reported by Evren Yalçın. (JT-56917)Low2020.2.10643Nicht anwendbarCVE-2020-15819
YouTrackMarkdown parser could disclose hidden file existence. (JT-57235)Low2020.2.6881Nicht anwendbarCVE-2020-15820
YouTrackA user without permission was able to create articles draft. (JT-57649)Medium2020.2.6881Nicht anwendbarCVE-2020-15821
YouTrackAWS metadata of YouTrack InCloud instance disclosure via SSRF in Workflow. Reported by Yurii Sanin. (JT-57964)High2020.2.8873Nicht anwendbarCVE-2020-15823
YouTrackSSRF was possible due to the fact that URL filtering could be escaped. Reported by Yurii Sanin. (JT-58204)Low2020.2.10514Nicht anwendbarCVE-2020-15822
YouTrack InCloudPossibility to change redirect from any existing YouTrack InCloud instance to other instance. (JT-57036)Medium2020.1.3588CWE-601Nicht anwendbar
DataloreUser's SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833)Medium0.0.1CWE-639Nicht anwendbar
DataloreSSRF could be caused by an attached file. Reported by Callum Carney (DL-7836)High0.0.1CWE-918Nicht anwendbar
GoLandPlain HTTP was used to access plugin repository (GO-8694)Low2019.3.2Nicht anwendbarCVE-2020-11685
HubContent spoofing at Hub OAuth error message was possible (JPS-10093)Medium2020.1.12099Nicht anwendbarCVE-2020-11691
IntelliJ IDEALicense server could be resolved to untrusted host in some cases (IDEA-219748)High2020.1Nicht anwendbarCVE-2020-11690
JetBrains AccountNon-unique QR codes were generated during consequentattempts to setup 2FA (JPF-10149)Low2020.01CWE-342Nicht anwendbar
JetBrains AccountClickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154) Medium2020.01CWE-1021Nicht anwendbar
JetBrains AccountCustomer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301)High2020.03CWE-200Nicht anwendbar
JetBrains AccountCountry value coming from a user wasn't correctly validated (JPF-10258)High2020.02CWE-285Nicht anwendbar
JetBrains AccountInformation disclosure from JetBrains Account was possible via "Back" button. Reported by Ratnadip Gajbhiye (JPF-10266)Low2020.02CWE-200Nicht anwendbar
JetBrains MarketplaceUploading malicious file via Screenshots form could cause XSS (MP-2637)MediumNot applicableCWE-79Nicht anwendbar
JetBrains WebsiteReflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769)HighNot applicableCWE-79Nicht anwendbar
PyCharmApple Notarization Service credentials were included to PyCharm distributive for Windows reported by Ruby Nealon (IDEA-232217)High2019.3.3, 2019.2.6Nicht anwendbarCVE-2020-11694
SpaceSession timeout period was configured improperly (SPACE-4717)LowNot applicableNicht anwendbarCVE-2020-11795
SpaceStored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556)MediumNot applicableNicht anwendbarCVE-2020-11416
SpacePassword authentication implementation was insecure (SPACE-7282)HighNot applicableNicht anwendbarCVE-2020-11796
TeamCityPasswords values were shown not being masked on several pages (TW-64186)Low2019.2.2Nicht anwendbarCVE-2020-11687
TeamCityProject administrator was able to see scrambled password parameters used in a project (TW-58099)Medium2019.2.2Nicht anwendbarCVE-2020-11938
TeamCityProject administrator was able to retrieve some TeamCity server settings (TW-61626)Low2019.1.4Nicht anwendbarCVE-2020-11686
TeamCityApplication state kept alive after a user ends his session (TW-61824)Low2019.2.1Nicht anwendbarCVE-2020-11688
TeamCityA user without appropriate permissions was able import settings from settings.kts (TW-63698)Low2019.2.1Nicht anwendbarCVE-2020-11689
YouTrackDB export was accessible to read-only administrators (JT-56001)Low2020.1.659Nicht anwendbarCVE-2020-11692
YouTrackDoS could be performed by attaching malformed TIFF to an issue. Reported by Chris Smith (JT-56407)High2020.1.659Nicht anwendbarCVE-2020-11693
IDETalk pluginXXE in IDETalk plugin. (IDEA-220136 reported by Srikanth Ramu)Medium193.4099.10Nicht anwendbarCVE-2019-18412
IntelliJ IDEASome Maven repositories are accessed via HTTP instead of HTTPs. (IDEA-216282)High2019.3Nicht anwendbarCVE-2020-7904
IntelliJ IDEAPorts listened to by IntelliJ IDEA are exposed to the network. (IDEA-219695)Low2019.3Nicht anwendbarCVE-2020-7905
IntelliJ IDEAXSLT debugger plugin misconfiguration allows arbitrary file read over network. (IDEA-216621 reported by Anatoly Korniltsev)Medium2019.3Nicht anwendbarCVE-2020-7914
JetBrains AccountProfile names are exposed by email. (JPF-9219 reported by Timon Birk)Low2019.11CWE-200Nicht anwendbar
JetBrains AccountMissing secure flag for cookie. (JPF-9857)Low2019.11CWE-614Nicht anwendbar
JetBrains AccountInsufficient authentication on contact view. (JPF-10024)High2019.11CWE-287Nicht anwendbar
JetBrains AccountInsufficient authentication on role update. (JPF-10025)High2019.11CWE-287Nicht anwendbar
JetBrains AccountXSS on the spending report page. (JPF-10027)Medium2019.12CWE-79Nicht anwendbar
JetBrains AccountOpen redirect during re-acceptance of license agreements. (JPF-10028)Low2019.11CWE-601Nicht anwendbar
JetBrains AccountInformation exposure during processing of license requests. (JPF-10111)High2019.12CWE-200Nicht anwendbar
JetBrains MarketplaceXSS on several pages. (MP-2617, MP-2640, MP-2642)LowNot applicableCWE-79Nicht anwendbar
JetBrains MarketplaceImproper access control during plugins upload. (MP-2695)CriticalNot applicableCWE-284Nicht anwendbar
JetBrains WebsiteCookie XSS at jetbrains.com. (JS-10969)HighNot applicableCWE-79Nicht anwendbar
KtorThe Ktor framework is vulnerable to HTTP Response Splitting. Reported by Jonathan LeitschuhHigh1.2.6Nicht anwendbarCVE-2019-19389
KtorThe Ktor client resends authorization data to a redirect location. Reported by Jonathan LeitschuhLow1.2.6Nicht anwendbarCVE-2019-19703
KtorRequest smuggling is possible when both chunked Transfer-Encoding and Content-Length are specified. Reported by Jonathan LeitschuhLow1.3.0Nicht anwendbarCVE-2020-5207
RiderUnsigned binaries in Windows installer. (RIDER-30393)Medium2019.3Nicht anwendbarCVE-2020-7906
Scala pluginArtifact dependencies were resolved over unencrypted connections. (SCL-15063)High2019.2.1Nicht anwendbarCVE-2020-7907
TeamCityReverse Tabnabbing is possible on several pages. (TW-61710, TW-61726, TW-61727)Low2019.1.5Nicht anwendbarCVE-2020-7908
TeamCitySome server-stored passwords can be shown via web UI. (TW-62674)High2019.1.5Nicht anwendbarCVE-2020-7909
TeamCityPossible stored XSS attack by a user with a developer role. (TW-63298)Medium2019.2Nicht anwendbarCVE-2020-7910
TeamCityStored XSS on user-level pages. (TW-63160)High2019.2Nicht anwendbarCVE-2020-7911
YouTrackCORS misconfiguration on youtrack.jetbrains.com. (JT-53675)MediumNot applicableCWE-346Nicht anwendbar
YouTrackSMTP/Jabber settings can be accessed using backups. (JT-54139)Medium2019.2.59309Nicht anwendbarCVE-2020-7912
YouTrackXSS via image upload at youtrack-workflow-converter.jetbrains.com. (JT-54589)LowNot applicableCWE-80Nicht anwendbar
YouTrackXSS via issue description. (JT-54719)High2019.2.59309Nicht anwendbarCVE-2020-7913
HubUsername enumeration was possible through password recovery. JPS-9655, JPS-9938Low2019.1.11738Nicht anwendbarCVE-2019-18360
IntelliJ IDEALocal user privilege escalation potentially allowed arbitrary code execution. IDEA-216623Low2019.2Nicht anwendbarCVE-2019-18361
JetBrains AccountAccount removal without re-authentication was possible. JPF-9611 reported by Siamul Islam.Medium2019.9CWE-306Nicht anwendbar
JetBrains AccountPassword reset link was not invalidated during password change through profile. JPF-9610 reported by Elliot V. Daniel.Medium2019.8CWE-613Nicht anwendbar
MPSPorts listened to by MPS are exposed to the network. MPS-30661Low2019.2.2Nicht anwendbarCVE-2019-18362
TeamCityAccess could be gained to the history of builds of a deleted build configuration under some circumstances. TW-60957Medium2019.1.2Nicht anwendbarCVE-2019-18363
TeamCityInsecure Java Deserialization could potentially allow RCE. TW-61928 reported by Aleksei "GreenDog" Tiurin.Medium2019.1.4Nicht anwendbarCVE-2019-18364
TeamCityReverse tabnabbing was possible on several pages. TW-61323, TW-61725,TW-61726, TW-61646,TW-62123Low2019.1.4Nicht anwendbarCVE-2019-18365
TeamCitySecure values could be exposed to users with the ‘View build runtime parameters and data’ permission.Low2019.1.2Nicht anwendbarCVE-2019-18366
TeamCityA non-destructive operation could be performed by a user without the corresponding permissions. TW-61107Low2019.1.2Nicht anwendbarCVE-2019-18367
Toolbox AppPrivilege escalation was possible in the JetBrains Toolbox App for Windows.TBX-3759Low1.15.5666Nicht anwendbarCVE-2019-18368
YouTrackRemoving tags from issues list without corresponding permission was possible. JT-53465Low2019.2.55152Nicht anwendbarCVE-2019-18369
YouTrack InCloudSending of arbitrary spam email from a Youtrack instance was possible. JT-54136, ADM-13823, ADM-34971LowNot applicableCWE-285Nicht anwendbar
Exception AnalyzerInsecure transfer of JetBrains Account credentials. EXA-652CriticalNot applicableCWE-598Nicht anwendbar
HubNo way to set a password to expire automatically. JPS-8816Low2018.4.11436Nicht anwendbarCVE-2019-14955
IdeaVimProject data appeared in user level settings. VIM-1184Medium0.52Nicht anwendbarCVE-2019-14957
IntelliJ IDEAResolving artifacts using an http connection, potentially allowing an MITM attack. IDEA-211231High2019.2Nicht anwendbarCVE-2019-14954
JetBrains AccountAuthorized account enumeration. JPF-9370Low2019.5CWE-204Nicht anwendbar
JetBrains AccountCross-origin resource sharing misconfiguration (Reported by Vishnu Vardhan). JPF-9095Low2019.5CWE-942Nicht anwendbar
JetBrains AccountNo rate limitation on the account details page. JPF-9704Medium2019.8CWE-770Nicht anwendbar
JetBrains AccountNo rate limitation on the licenses page. JPF-9713High2019.9CWE-770Nicht anwendbar
JetBrains AccountUnauthorized disclosure of license email on the licenses page. JPF-9692Critical2019.8CWE-284Nicht anwendbar
JetBrains WebsiteReflected XSS. JS-9853MediumNot applicableCWE-79Nicht anwendbar
KtorCommand injection through LDAP username.Medium1.2.0-rc, 1.2.0Nicht anwendbarCVE-2019-12736
KtorPredictable Salt for user credentials.Medium1.2.0-rc2, 1.2.0Nicht anwendbarCVE-2019-12737
PyCharmRemote call causing an “out of memory” error was possible. PY-35251Low2019.2Nicht anwendbarCVE-2019-14958
ReSharperDLL hijacking vulnerability. RSRP-473674High2019.2Nicht anwendbarCVE-2019-16407
RiderUnsigned DLL was used in a distributive. RIDER-27708Medium2019.1.2Nicht anwendbarCVE-2019-14960
TeamCityPreviously used unencrypted passwords were suggested by a web browser’s auto-completion. TW-59759Low2019.1CWE-200Nicht anwendbar
TeamCityVMWare plugin did not check SSL certificate. TW-59562Medium2019.1Nicht anwendbarCVE-2019-15042
TeamCityRemote Code Execution on the server with certain network configurations. TW-60430Medium2019.1Nicht anwendbarCVE-2019-15039
TeamCityProject administrator could get unauthorized access to server-level data. TW-60220High2019.1Nicht anwendbarCVE-2019-15035
TeamCityProject administrator could execute any command on the server machine. TW-60219High2019.1Nicht anwendbarCVE-2019-15036
TeamCitySecurity has been tightened thanks to using additional HTTP headers. TW-59034High2019.1Nicht anwendbarCVE-2019-15038
TeamCityPossible XSS vulnerabilities on the settings pages. TW-59870, TW-59852, TW-59817, TW-59838, TW-59816High2019.1Nicht anwendbarCVE-2019-15037
TeamCityXSS vulnerability. TW-61242, TW-61315High2019.1.2Nicht anwendbarCVE-2019-15848
Toolbox AppUnencrypted connection to external resources, potentially allowed an MITM attack. TBX-3327, ADM-30275Low1.15.5605CWE-311CVE-2019-14959
UpSourceInsufficient escaping of code blocks. UP-10387Medium2019.1.1412Nicht anwendbarCVE-2019-14961
UpSourceCredentials exposure via RPC command. UP-10344Critical2018.2.1290Nicht anwendbarCVE-2019-12156
UpSourceCredentials exposure via RPC command. UP-10343Critical2018.2.1293Nicht anwendbarCVE-2019-12157
YouTrackA user could get a list of project names under certain conditions. JT-53162Low2019.2.53938Nicht anwendbarCVE-2019-14956
YouTrackStored XSS via issue attachments. JT-51077High2019.2.53938Nicht anwendbarCVE-2019-14953
YouTrackStored XSS on the issue page. JT-54121High2019.2.56594Nicht anwendbarCVE-2019-16171
YouTrackStored XSS in the issues list. JT-52894High2019.1.52584Nicht anwendbarCVE-2019-14952
YouTrackA compromised URL was automatically whitelisted by YouTrack. JT-47653Low2019.1.52545Nicht anwendbarCVE-2019-15041
YouTrackCross-Site Request Forgery. JT-30098Low2019.1Nicht anwendbarCVE-2019-15040
CLionThe suggested WSL configuration exposed a local SSH server to the internal network. CPP-15063MediumNot applicableCWE-276Nicht anwendbar
HubA user password could appear in the audit events for certain server settings. JPS-7895High2018.4.11298Nicht anwendbarCVE-2019-12847
IntelliJ IDEAThe default configuration for Spring Boot apps was not secure. IDEA-204439High2018.3.4, 2019.1Nicht anwendbarCVE-2019-9186
IntelliJ IDEAThe application server configuration allowed cleartext storage of secrets. IDEA-201519, IDEA-202483, IDEA-203271High2018.1.8, 2018.2.8, 2018.3.5, 2019.1Nicht anwendbarCVE-2019-9872
IntelliJ IDEAThe implementation of storage in the KeePass database was not secure. IDEA-200066Low2018.3, 2019.1CWE-922Nicht anwendbar
IntelliJ IDEAA certain application server configuration allowed cleartext storage of secrets. IDEA-199911Low2018.3CWE-317Nicht anwendbar
IntelliJ IDEAA certain application server configuration allowed cleartext storage of secrets. IDEA-203613Medium2018.1.8, 2018.2.8, 2018.3.5Nicht anwendbarCVE-2019-9823
IntelliJ IDEAA certain remote server configurations allowed cleartext storage of secrets. IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557High2019.1Nicht anwendbarCVE-2019-9873
IntelliJ IDEAThe run configuration of certain application servers allowed remote code execution while running the server with the default settings. IDEA-204570High2017.3.7, 2018.1.8, 2018.2.8, 2018.3.4Nicht anwendbarCVE-2019-10104
JetBrains AccountAn open redirect vulnerability via the backUrl parameter was detected. JPF-8899MediumNot applicableCWE-601Nicht anwendbar
JetBrains AccountThe host header injection vulnerability was detected at account.jetbrains.com. ADM-20535MediumNot applicableCWE-444Nicht anwendbar
JetBrains MarketplaceSome HTTP Security Headers were missing. MP-2004MediumNot applicableCWE-693Nicht anwendbar
JetBrains MarketplaceA reflected XSS was detected. MP-2001MediumNot applicableCWE-79Nicht anwendbar
JetBrains MarketplaceA CSRF vulnerability was detected. MP-2002MediumNot applicableCWE-352Nicht anwendbar
JetBrains WebsiteA reflected XSS was detected. JT-51074LowNot applicableCWE-79Nicht anwendbar
KotlinThe JetBrains Kotlin project was resolving artifacts using anhttp connection during the build process, potentially allowing an MITM attack.Medium1.3.30Nicht anwendbarCVE-2019-10101
Kotlin plugin for IntelliJIntelliJ IDEA projects created using the KotlinIDE template were resolving artifacts using an http connection, potentially allowing an MITM attack.Medium1.3.30Nicht anwendbarCVE-2019-10102
PyCharmA certain remote server configuration allowed cleartext storage of secrets. PY-32885Medium2018.3.2CWE-209Nicht anwendbar
TeamCityA possible stored JavaScript injection was detected. TW-59419Medium2018.2.3Nicht anwendbarCVE-2019-12844
TeamCityThe generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. TW-59379Medium2018.2.3Nicht anwendbarCVE-2019-12845
TeamCityA possible stored JavaScript injection requiring a deliberate server administrator action was detected. TW-55640Medium2018.2.3Nicht anwendbarCVE-2019-12843
TeamCityIncorrect handling of user input in ZIP extraction. TW-57143Medium2018.2.2Nicht anwendbarCVE-2019-12841
TeamCityA reflected XSS on a user page was detected. TW-58661Medium2018.2.2Nicht anwendbarCVE-2019-12842
TeamCityA user without the required permissions could gain access to some settings. TW-58571Medium2018.2.2Nicht anwendbarCVE-2019-12846
YouTrackAn SSRF attack was possible on a YouTrack server. JT-51121High2018.4.49168Nicht anwendbarCVE-2019-12852
YouTrackAn Insecure Direct Object Reference was possible. JT-51103Low2018.4.49168Nicht anwendbarCVE-2019-12866
YouTrackCertain actions could cause privilege escalation for issue attachments. JT-51080Medium2018.4.49168Nicht anwendbarCVE-2019-12867
YouTrackA query injection was possible. JT-51105Low2018.4.49168Nicht anwendbarCVE-2019-12850
YouTrackA CSRF vulnerability was detected in one of admin endpoints. JT-51110Medium2018.4.49852Nicht anwendbarCVE-2019-12851
YouTrackThe YouTrack Confluence plugin allowed the SSTI vulnerability. JT-51594Medium1.8.1.3Nicht anwendbarCVE-2019-10100
YouTrack InCloudAn unauthorized disclosure of license details to an attacker #2 was possible. JT-51117LowNot applicableCWE-284Nicht anwendbar
HubAdmin account takeover of a system authorized with Hub was possible. JPS-9594Critical2018.3.11035Nicht anwendbarNicht anwendbar
HubXXE was possible. JPS-9616, UP-10218High2018.4.11067Nicht anwendbarNicht anwendbar
JetBrains AccountDisclosure of email address within unsuccessful login attempt. JPF-8663High4.11Nicht anwendbarNicht anwendbar
TeamCityReflected XSS on user-level pages. TW-58065, TW-58234High2018.2Nicht anwendbarNicht anwendbar
TeamCityStored XSS on the build details page. TW-58129, TW-58138High2018.2Nicht anwendbarNicht anwendbar
TeamCityExposure of sensitive parameter value to a privileged user was possible. TW-56946Medium2018.1.3Nicht anwendbarNicht anwendbar
UpSourceA privileged user had access to user credentials in rare case. UP-10092Medium2018.2.1141Nicht anwendbarNicht anwendbar
YouTrackUnauthorized access to project and user details with guest user banned was possible. JT-50970, JT-49827, JT-50611, JT-50203High2018.3.47010Nicht anwendbarNicht anwendbar
YouTrackStored XSS on YouTrack issue page. JT-50201Low2018.3.47965Nicht anwendbarNicht anwendbar
YouTrack InCloudUnauthorized disclosure of YouTrack InCloud subscription information was possible. JPF-8714, JT-51001High2018.4.48293Nicht anwendbarNicht anwendbar
YouTrack InCloudUnauthorized access to the email address of YouTrack InCloud was possible. JT-50946High2018.4.48293Nicht anwendbarNicht anwendbar
dotPeekRemote Code Execution was possible while operating specific files. DOTP-7635High2018.1.4Nicht anwendbarNicht anwendbar
HubHub stored license information in log files. JPS-9187Low2018.2.10527Nicht anwendbarNicht anwendbar
IntelliJ IDEAInsecure connection used to access JetBrains resources. IDEA-187601, IDEA-192440Medium2018.1.5Nicht anwendbarNicht anwendbar
IntelliJ IDEAIncorrect handling of user input in ZIP extraction. IDEA-191679, IDEA-191680, IDEA-193358High2018.2Nicht anwendbarNicht anwendbar
JetBrains AccountA few customer profiles were made available without authorization. JPF-8211MediumNot applicableNicht anwendbarNicht anwendbar
JetBrains AccountIt was possible to obtain customer business email from order reference. JPF-7903MediumNot applicableNicht anwendbarNicht anwendbar
JetBrains MarketplaceXXE vulnerability. MP-1708LowNot applicableNicht anwendbarNicht anwendbar
JetBrains MarketplaceIncorrect handling of user input in ZIP extraction. MP-1678MediumNot applicableNicht anwendbarNicht anwendbar
ReSharperIncorrect handling of user input in ZIP extraction. RSRP-470115High2018.1.3Nicht anwendbarNicht anwendbar
TeamCityCSRF vulnerability. TW-55992Medium2018.1.1Nicht anwendbarNicht anwendbar
TeamCityChange of project settings can corrupt settings of other projects. TW-55704Low2018.1.1Nicht anwendbarNicht anwendbar
TeamCityPossible privilege escalation while viewing agent details. TW-56025Medium2018.1.1Nicht anwendbarNicht anwendbar
TeamCityPossible unvalidated redirect. TW-56085Medium2018.1.2Nicht anwendbarNicht anwendbar
TeamCityReflected XSS vulnerabilities. TW-56490, TW-56375, TW-56374Medium2018.1.2Nicht anwendbarNicht anwendbar
TeamCityStored XSS vulnerabilities. TW-56830, TW-56719Medium2018.1.3Nicht anwendbarNicht anwendbar
TeamCityStored XSS vulnerabilities. TW-55214, TW-56126, TW-56127, TW-56452, TW-56571Medium2018.1.2Nicht anwendbarNicht anwendbar
YouTrackReflected XSS vulnerability. JT-48606Medium2018.2.45073Nicht anwendbarNicht anwendbar
YouTrackPossible privilege escalation via deprecated REST API. JT-48605Low2018.2.45073Nicht anwendbarNicht anwendbar
YouTrackPossible tabnabbing via issue content. JT-47993Low2018.2.44329Nicht anwendbarNicht anwendbar
HubClickJacking vulnerability. JPS-7209Low2017.4.8040Nicht anwendbarNicht anwendbar
HubClickJacking vulnerability. JPS-8009Low2018.2.9541Nicht anwendbarNicht anwendbar
IntelliJ IDEAROBOT attack vulnerability in certain subsystems. IDEA-183912Low2018.1.3Nicht anwendbarNicht anwendbar
Scala pluginPossible unauthenticated access to local compile server. SCL-13584Medium2018.2Nicht anwendbarNicht anwendbar
TeamCityPossible privilege escalation to server administrator. TW-55209High2018.1Nicht anwendbarNicht anwendbar
TeamCityCSRF attack vulnerability. TW-55210High2018.1Nicht anwendbarNicht anwendbar
TeamCityPossible privilege escalation from project administrator to server administrator. TW-55211, TW-55684High2018.1Nicht anwendbarNicht anwendbar
TeamCityPossible unauthorized removal of installation data by project administrator. TW-54876High2018.1Nicht anwendbarNicht anwendbar
TeamCityNetwork access to an agent allowed potential unauthorized control over the agent. TW-49335Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityIn a very specific scenario, an attacker could steal web responses meant for other users. TW-54486Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityStored XSS vulnerabilities on various pages. TW-27206, TW-54129, TW-55453, TW-55215, TW-55217, TW-55353Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityProject viewer could delete non-critical project settings. TW-55261Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityNetwork access to a server allowed potential read access to project settings. TW-54870Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityProject viewer could affect details of some running builds. TW-54975Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityReflected XSS vulnerabilities on various pages. TW-55212, TW-55213Medium2018.1Nicht anwendbarNicht anwendbar
TeamCityUser self-registration might have been enabled by default on new server installation. TW-54741Medium2017.2.4, 2018.1Nicht anwendbarNicht anwendbar
TeamCityPossible vulnerability to ClickJacking attack from TeamCity UI. TW-33819Medium2017.2.4, 2018.1Nicht anwendbarNicht anwendbar
TeamCityProject viewer could bypass the "View build runtime parameters and data" permission. TW-55502Low2018.1Nicht anwendbarNicht anwendbar
TeamCityNetwork access to a server exposed a vulnerability to DoS attacks. TW-11984Low2018.1Nicht anwendbarNicht anwendbar
TeamCityPotential to pass authorization cookies without secure flags. TW-55141Low2018.1Nicht anwendbarNicht anwendbar
UpSourceVulnerability to ClickJacking attack. UP-9673Medium2018.1Nicht anwendbarNicht anwendbar
UpSourcePossible privilege escalation during the configuration process. BND-1154, BND-1579, UP-7359. Reported by Zhiyong Feng from Mobike Security TeamLow2018.1Nicht anwendbarNicht anwendbar
YouTrackStored XSS vulnerabilities from specific pages. JT-47824High2018.2.42881Nicht anwendbarNicht anwendbar
YouTrackPotential for unauthorized users to view names of SSL keys. JT-47685Low2018.2.42881Nicht anwendbarNicht anwendbar
YouTrackSwimlane functionality allowed unauthorized changes to a limited number of issue properties. JT-47125Low2018.2.42133Nicht anwendbarNicht anwendbar
dotTracedotTrace allowed privilege escalation (PROF-668)Critical2017.1, 2017.2, 2017.3, 2018.1Nicht anwendbarNicht anwendbar
HubLimitation of login attempts at hub.jetbrains.com was disabled (JPS-7627)Low2018.1.9041Nicht anwendbarNicht anwendbar
HubIt was possible to obtain a new access token for a banned user (JPS-7553)Low2017.4.8440Nicht anwendbarNicht anwendbar
IntelliJ IDEAYourKit profiler port was available externally in EAP builds for Linux (IDEA-184795)Low2018.1Nicht anwendbarNicht anwendbar
JetBrains AccountPrivilege escalation was possible for JetBrains Account activity log (JPF-7437)MediumNot applicableNicht anwendbarNicht anwendbar
JetBrains AccountValid password links might remain upon password reset (JPF-7335)LowNot applicableNicht anwendbarNicht anwendbar
TeamCityVCS preview allowed XSS attack (TW-54027)Medium2017.2.3Nicht anwendbarNicht anwendbar
TeamCityData Directory preview allowed XSS attack (TW-54021)Low2017.2.3Nicht anwendbarNicht anwendbar
TeamCityvmWare plugin settings allowed XSS attack (TW-53984)High2017.2.3Nicht anwendbarNicht anwendbar
TeamCityVCS settings allowed XSS attack (TW-53943, TW-53978)High2017.2.3Nicht anwendbarNicht anwendbar
TeamCityAuthentication bypass was possible with certain Windows server configuration (TW-53507)Medium2017.2.2Nicht anwendbarNicht anwendbar
TeamCityProject administrator could run arbitrary code (TW-50054)High2017.2.2Nicht anwendbarNicht anwendbar
TeamCityBuild fields allowed XSS attack (TW-53466)Medium2017.2.2Nicht anwendbarNicht anwendbar
TeamCityMultiple XSS vulnerabilities (reported by Viktor Gazdag of NCC Group) (TW-53442)High2017.2.2Nicht anwendbarNicht anwendbar
UpSourceMultiple XSS vulnerabilities (Reported by Viktor Gazdag of NCC Group) (UP-9606)Medium2017.3.2888Nicht anwendbarNicht anwendbar
YouTrackRSS feed allowed unauthorized access to comments with certain configuration (JT-46375)Medium2018.1.40341Nicht anwendbarNicht anwendbar
YouTrackREST API allowed unauthorized access to attachments of hidden comments (JT-46004)Medium2018.1.40341Nicht anwendbarNicht anwendbar
YouTrackRSS feed allowed unauthorized access to issues list with certain configuration (JT-46159)High2018.1.40066Nicht anwendbarNicht anwendbar
YouTrackCustom fields allowed privilege escalation for guest user account (JT-46115)Medium2018.1.40025Nicht anwendbarNicht anwendbar
YouTrackIssue linking permission bypassing was available via "Create issue linked as..." (JT-25321)Medium2017.4.39533Nicht anwendbarNicht anwendbar
YouTrackUnauthorized access to issue content was possible even if guest user access was restricted in the bundle installer (JT-45284)Low2017.4.39083Nicht anwendbarNicht anwendbar
YouTrackActivity records for private fields were available to users with read-only permissions (JT-45282)Medium2017.4.39083Nicht anwendbarNicht anwendbar
Produkt
Version auswählen
Fix-Version
Version auswählen