Fixed security issues

This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.

ProductDescriptionSeverityResolved InCWECVE
TeamCitySeveral DOM-based XSS were possible on the Code Inspection Report tab (TW-87505)Medium2024.12.2CWE-79CVE-2025-26493
TeamCityImproper Kubernetes connection settings could expose sensitive resources (TW-91106)High2024.12.2CWE-522CVE-2025-26492
dotTraceLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High2024.3.4, 2024.2.8, 2024.1.7CWE-114CVE-2025-23385
ETW Host ServiceLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High16.43CWE-114CVE-2025-23385
ReSharperLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High2024.3.4, 2024.2.8, 2024.1.7CWE-114CVE-2025-23385
RiderLocal Privilege Escalation via the ETW Host Service was possible (DTRC-31503)High2024.3.4, 2024.2.8, 2024.1.7CWE-114CVE-2025-23385
HubPrivilege escalation was possible via LDAP authentication mapping. Reported by Pavel Supruniuk (HUB-12012)Medium2024.3.55417CWE-288CVE-2025-24456
TeamCityReflected XSS was possible on the Vault Connection page (TW-91124)Medium2024.12.1CWE-79CVE-2025-24459
TeamCityImproper access control allowed to see Projects’ names in the agent pool (TW-52375, TW-91367)Medium2024.12.1CWE-863CVE-2025-24460
TeamCityDecryption of connection secrets without proper permissions was possible via Test Connection endpoint (TW-91164)Medium2024.12.1CWE-862CVE-2025-24461
YouTrackPermanent tokens could be exposed in logs. Reported by Dmitriy Titarenko (JT-86763)Medium2024.3.55417CWE-532CVE-2025-24457
YouTrackAccount takeover was possible via spoofed email and Helpdesk integration (JT-85444)High2024.3.55417CWE-290CVE-2025-24458
TeamCityImproper access control allowed viewing details of unauthorized agents (TW-85841)Medium2024.12CWE-863CVE-2024-56348
TeamCityImproper access control allowed unauthorized users to modify build logs (TW-90726)Medium2024.12CWE-862CVE-2024-56349
TeamCityBuild credentials allowed unauthorized viewing of projects (TW-24904)Medium2024.12CWE-863CVE-2024-56350
TeamCityAccess tokens were not revoked after removing user roles (TW-76910)Medium2024.12CWE-613CVE-2024-56351
TeamCityStored XSS was possible via image name on the agent details page (TW-89485)Medium2024.12CWE-79CVE-2024-56352
TeamCityBackup file exposed user credentials and session cookies. Reported by Thomas Siegbert (TW-89719)Medium2024.12CWE-212CVE-2024-56353
TeamCityPassword field value were accessible to users with view settings permission (TW-49870)Medium2024.12CWE-522CVE-2024-56354
TeamCityMissing Content-Type header in RemoteBuildLogController response could lead to XSS (TW-80940)Medium2024.12CWE-79CVE-2024-56355
TeamCityInsecure XMLParser configuration could lead to potential XXE attack (TW-86582)Medium2024.12CWE-611CVE-2024-56356
YouTrackUnauthenticated database backup download was possible via vulnerable query parameter (JT-85385)Low2024.3.51866CWE-862CVE-2024-54153
YouTrackSystem takeover was possible through path traversal in plugin sandbox (JT-85298)High2024.3.51866CWE-23CVE-2024-54154
YouTrackImproper access control allowed listing of project names during app import without authentication. Reported by Tom Gionfriddo (JT-85830)Low2024.3.51866CWE-862CVE-2024-54155
YouTrackMultiple merge functions were vulnerable to prototype pollution attack (JT-85614)Medium2024.3.52635CWE-1321CVE-2024-54156
YouTrackPotential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector (JT-85443)Medium2024.3.52635CWE-1333CVE-2024-54157
YouTrackPotential spoofing attack was possible via lack of Punycode encoding (JT-85607)Low2024.3.52635CWE-173CVE-2024-54158
WebStormCode execution in Untrusted Project mode was possible via type definitions installer script. Reported by Ramast Magdy (WEB-69576)Medium2024.3CWE-349CVE-2024-52555
HubImproper access control allowed users to generate permanent tokens for unauthorized services (HUB-11932)Medium2024.3.47707CWE-862CVE-2024-50573
YouTrackPotential ReDoS exploit was possible via email header parsing in Helpdesk functionality (JT-85386)Medium2024.3.47707CWE-1333CVE-2024-50574
YouTrackReflected XSS was possible in Widget API (JT-85387)Medium2024.3.47707CWE-79CVE-2024-50575
YouTrackStored XSS was possible via vendor URL in App manifest (JT-85389)Medium2024.3.47707CWE-79CVE-2024-50576
YouTrackStored XSS was possible via Angular template injection in Hub settings (JT-85384)Medium2024.3.47707CWE-79CVE-2024-50577
YouTrackStored XSS was possible via sprint value on agile boards page (JT-85299)Medium2024.3.47707CWE-79CVE-2024-50578
YouTrackReflected XSS due to insecure link sanitization was possible (JT-85383)Medium2024.3.47707CWE-79CVE-2024-50579
YouTrackMultiple XSS were possible due to insecure markdown parsing and custom rendering rule (JT-85295)Medium2024.3.47707CWE-79CVE-2024-50580
YouTrackImproper HTML sanitization could lead to XSS attack via comment tag (JT-85296)Medium2024.3.47707CWE-79CVE-2024-50581
YouTrackStored XSS was possible due to improper HTML sanitization in markdown elements (JT-85297)Medium2024.3.47707CWE-79CVE-2024-50582
KtorImproper caching in HttpCache Plugin could lead to response information disclosure. Reported by Nils Barlaug (KTOR-7483)Medium2.3.13CWE-524CVE-2024-49580
YouTrackInsecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests (JT-85294)High2024.3.47197CWE-940CVE-2024-49579
YouTrackImproper access control allowed users with project update permission to delete applications via APIMedium2024.3.46677CWE-862CVE-2024-48902
TeamCityPassword could be exposed via Sonar runner REST API (TW-64557)Medium2024.07.3CWE-522CVE-2024-47161
TeamCityPath traversal leading to information disclosure was possible via server backups. Reported by Thomas Siegbert (TW-89721)Medium2024.07.3CWE-23CVE-2024-47948
TeamCityPath traversal allowed backup file write to arbitrary location. Reported by Thomas Siegbert (TW-89723)Medium2024.07.3CWE-23CVE-2024-47949
TeamCityStored XSS was possible in Backup configuration settings. Reported by Thomas Siegbert (TW-89700)Low2024.07.3CWE-79CVE-2024-47950
TeamCityStored XSS was possible via server global settings (TW-88983)Low2024.07.3CWE-79CVE-2024-47951
YouTrackUser without appropriate permissions could restore workflows attached to a project (JT-82431)Medium2024.3.44799CWE-863CVE-2024-47159
YouTrackAccess to global app config data without appropriate permissions was possible (JT-81376)Medium2024.3.44799CWE-863CVE-2024-47160
YouTrackToken could be revealed on Imports page (JT-82142)Medium2024.3.44799CWE-522CVE-2024-47162
IntelliJ IDEAHTML injection via the project name was possible (IJPL-8358)Low2024.1CWE-79CVE-2024-46970
TeamCityPossible privilege escalation due to incorrect directory permissions. Reported by Crispr Xiang from TianShu Dubhe Team (TW-87656)High2024.07.1CWE-276CVE-2024-43114
TeamCityMultiple stored XSS was possible on Clouds page (TW-85512)Medium2024.07.1CWE-79CVE-2024-43807
TeamCitySelf XSS was possible in the HashiCorp Vault plugin (TW-84492)Low2024.07.1CWE-79CVE-2024-43808
TeamCityReflected XSS was possible on the agentPushPreset page (TW-84016)Low2024.07.1CWE-79CVE-2024-43809
TeamCityReflected XSS was possible in the AWS Core plugin (TW-86958)Medium2024.07.1CWE-79CVE-2024-43810
TeamCityParameters of the "password" type could leak into the build log in some specific cases (TW-67957)Medium2024.07CWE-532CVE-2024-41824
TeamCityStored XSS was possible on the Code Inspection tab (TW-83483)Medium2024.07CWE-79CVE-2024-41825
TeamCityStored XSS was possible on Show Connection page (TW-86935)Low2024.07CWE-79CVE-2024-41826
TeamCityAccess tokens could continue working after deletion or expiration (TW-76857)High2024.07CWE-613CVE-2024-41827
TeamCityComparison of authorization tokens took non-constant time (TW-85815)Low2024.07CWE-208CVE-2024-41828
TeamCityAn OAuth code for JetBrains Space could be stolen via Space Application connection (TW-84124)Low2024.07CWE-303CVE-2024-41829
TeamCityPrivate key could be exposed via testing GitHub App Connection (TW-88255)Medium2024.03.3CWE-522CVE-2024-39878
TeamCityApplication token could be exposed in EC2 Cloud Profile settings (TW-88399)Medium2024.03.3CWE-522CVE-2024-39879
HubStored XSS via project description was possible. Reported by Krzysztof Kamiński (HUB-11601)Low2024.2.34646CWE-79CVE-2024-38507
YouTrackThe Guest User Account was enabled for attaching files to articles (JT-81902)Medium2024.2.34646CWE-862CVE-2024-38504
YouTrackUser access token was sent to the third-party site. Reported by Sergey Zotov (JT-81798)Medium2024.2.34646CWE-522CVE-2024-38505
YouTrackUser without appropriate permissions could enable the auto-attach option for workflows (JT-81214)Medium2024.2.34646CWE-862CVE-2024-38506
AquaGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2024.1.2CWE-522CVE-2024-37051
CLionGitHub access token could be exposed to third-party sites (IJPL-155883)Critical 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2CWE-522CVE-2024-37051
DataGripGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4CWE-522CVE-2024-37051
DataSpellGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1CWE-522CVE-2024-37051
GoLandGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3CWE-522CVE-2024-37051
IntelliJ IDEAGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3CWE-522CVE-2024-37051
MPSGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.2.1, 2023.3.1, 2024.1 EAP2CWE-522CVE-2024-37051
PhpStormGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3CWE-522CVE-2024-37051
PyCharmGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2CWE-522CVE-2024-37051
RiderGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3CWE-522CVE-2024-37051
RubyMineGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4CWE-522CVE-2024-37051
RustRoverGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2024.1.1CWE-522CVE-2024-37051
WebStormGitHub access token could be exposed to third-party sites (IJPL-155883)Critical2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4CWE-522CVE-2024-37051
TeamCityPath traversal allowing to read files from server was possible (TW-87898)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2CWE-23CVE-2024-36362
TeamCitySeveral Stored XSS in code inspection reports were possible (TW-83495)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36363
TeamCityImproper access control in Pull Requests and Commit status publisher build features was possible (TW-84931)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-863CVE-2024-36364
TeamCityA third-party agent could impersonate a cloud agent (TW-87450)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2CWE-863CVE-2024-36365
TeamCityAn XSS could be executed via certain report grouping and filtering operations (TW-83893)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36366
TeamCityStored XSS via third-party reports was possible (TW-83270)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36367
TeamCityReflected XSS via OAuth provider configuration was possible (TW-83485)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36368
TeamCityStored XSS via issue tracker integration was possible (TW-83149)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36369
TeamCityStored XSS via OAuth connection settings was possible (TW-83658)Medium2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-79CVE-2024-36370
TeamCityStored XSS in Commit status publisher was possible (TW-84958)Medium2023.05.6, 2023.11.5CWE-79CVE-2024-36371
TeamCityReflected XSS on the subscriptions page was possible (TW-83892)Medium2023.05.6CWE-79CVE-2024-36372
TeamCitySeveral stored XSS in untrusted builds settings were possible (TW-87421)Medium2024.03.2CWE-79CVE-2024-36373
TeamCityStored XSS via build step settings was possible (TW-87381)Medium2024.03.2CWE-79CVE-2024-36374
TeamCityTechnical information regarding TeamCity server could be exposed (TW-87468)Medium2024.03.2CWE-209CVE-2024-36375
TeamCityUsers could perform actions that should not be available to them based on their permissions (TW-83710)Medium2024.03.2CWE-863CVE-2024-36376
TeamCityCertain TeamCity API endpoints did not check user permissions (TW-83647)Medium2024.03.2CWE-863CVE-2024-36377
TeamCityServer was susceptible to DoS attacks with incorrect auth tokens (TW-87071)Medium2024.03.2CWE-770CVE-2024-36378
TeamCityAuthentication bypass was possible in specific edge cases even when the security patch plugin is intstalled (TW-86860)High2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5CWE-288CVE-2024-36470
TeamCitySeveral Stored XSS in the available updates page were possible (TW-87050)Low2024.03.1CWE-79CVE-2024-35300
TeamCityCommit status publisher didn't check project scope of the GitHub App token (TW-86523)Medium2024.03.1CWE-280CVE-2024-35301
TeamCityStored XSS during restore from backup was possible (TW-82309)Medium2023.11CWE-79CVE-2024-35302
YouTrackThe SMTPS protocol communication lacked proper certificate hostname validation. Reported by Yusuke Yamamoto (JT-80708)Medium2024.1.29548CWE-295CVE-2024-35299
TeamCityAuthenticated users without administrative permissions could register other users when self-registration was disabled (TW-87046)Medium2024.03CWE-863CVE-2024-31134
TeamCityOpen redirect was possible on the login page (TW-87062)Medium2024.03CWE-601CVE-2024-31135
TeamCity2FA could be bypassed by providing a special URL parameter (TW-86989)High2024.03CWE-1288CVE-2024-31136
TeamCityReflected XSS was possible via Space connection configuration. Reported by Linh Dinh (TW-86832)Medium2024.03CWE-79CVE-2024-31137
TeamCityXSS was possible via Agent Distribution settings. Reported by Alex Williams from Trend Micro (TW-86535)Medium2024.03CWE-79CVE-2024-31138
TeamCityXXE was possible in the Maven build steps detector (TW-86300)Medium2024.03CWE-611CVE-2024-31139
TeamCityServer administrators could remove arbitrary files from the server by installing tools (TW-86039)Medium2024.03CWE-1288CVE-2024-31140
TeamCityUsers with access to the agent machine might obtain permissions of the user running the agent process (TW-83048)Medium2023.11CWE-749CVE-2024-29880
YouTrackCreation comments on behalf of an arbitrary user in HelpDesk was possible (JT-79678, JT-79719)Medium2024.1.25893CWE-290CVE-2024-28228
YouTrackUser without appropriate permissions could restore issues and articles (JT-79924)Medium2024.1.25893CWE-863CVE-2024-28229
YouTrackAttaching/detaching workflow to a project was possible without project admin permissions (JT-79758)Medium2024.1.25893CWE-862CVE-2024-28230
TeamCityCustom build parameters of the "password" type could be disclosed (TW-86403)Medium2023.11.4CWE-201CVE-2024-28173
TeamCityPresigned URL generation requests in S3 Artifact Storage plugin were authorized improperly (TW-85562)Medium2023.11.4CWE-863CVE-2024-28174
TeamCityAuthentication bypass allowing to perform admin actions was possible. Reported by Rapid7 team (TW-86500)Critical2023.11.4CWE-288CVE-2024-27198
TeamCityPath traversal allowing to perform limited admin actions was possible. Reported by Rapid7 team (TW-86502)High2023.11.4CWE-23CVE-2024-27199
IntelliJ IDEAPath traversal was possible when unpacking archives (IDEA-339542)Low2023.3.3CWE-23CVE-2024-24940
IntelliJ IDEAA plugin for JetBrains Space was able to send an authentication token to an inappropriate URL (IDEA-337274)Medium2023.3.3CWE-20CVE-2024-24941
RiderLogging of environment variables containing secret values was possible (RIDER-103340)Low2023.3.3CWE-532CVE-2024-24939
TeamCityPath traversal allowed reading data within JAR archives. Reported by Sndav Bai and Crispr Xiang from TianShu Dubhe Team (TW-86017)Medium2023.11.3CWE-23CVE-2024-24942
TeamCityAuthentication bypass leading to RCE was possible. Reported by Sndav Bai and Crispr Xiang from TianShu Dubhe Team (TW-86005)Critical2023.11.3CWE-288CVE-2024-23917
Toolbox AppA DoS attack was possible via a malicious SVG image (TBX-9216)Medium2.2CWE-400CVE-2024-24943
TeamCityAccess control at the S3 Artifact Storage plugin endpoint was missed (TW-85499)Medium2023.11.2CWE-285CVE-2024-24936
TeamCityStored XSS via agent distribution was possible (TW-85880)Medium2023.11.2CWE-79CVE-2024-24937
TeamCityLimited directory traversal was possible in the Kotlin DSL documentation (TW-85585)Medium2023.11.2CWE-23CVE-2024-24938
YouTrackStored XSS via markdown was possible. Reported by Sergei Zotov (JT-78995)Medium2023.3.22666CWE-79CVE-2024-22370
IntelliJ IDEACode execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration (IDEA-320814)Medium2023.3.2CWE-349CVE-2023-51655
TeamCityA CSRF on login was possible (TW-84796)Medium2023.11.1CWE-352CVE-2023-50870
YouTrackAuthorization check for inline comments inside thread replies was missed (JT-78444)Medium2023.3.22268CWE-285CVE-2023-50871
KtorDefault configuration of ContentNegotiation with XML format was vulnerable to XXE. Reported by Ulf Karlsson (KTOR-6286, Pull Request)High2.3.5CWE-611CVE-2023-45612
KtorServer certificates were not verified (KTOR-6229, Pull Request)Medium2.3.5CWE-295CVE-2023-45613
TeamCityAuthentication bypass leading to RCE on TeamCity Server was possible. Reported by Stefan Schiller from Sonar (TW-83545)Critical2023.05.4CWE-288CVE-2023-42793
TeamCityStored XSS was possible during nodes configuration (TW-83216)Low2023.05.4CWE-79CVE-2023-43566
TeamCityStored XSS was possible during Cloud Profiles configuration (TW-82867, TW-82475)Medium2023.05.3CWE-79CVE-2023-41248
TeamCityReflected XSS was possible during copying Build Step (TW-82869)Medium2023.05.3CWE-79CVE-2023-41249
TeamCityReflected XSS was possible during user registration (TW-82876)Low2023.05.3CWE-79CVE-2023-41250
IntelliJ IDEAPlugin for Space was requesting excessive permissions (IDEA-321747)Medium2023.2CWE-250CVE-2023-39261
TeamCityA token with limited permissions could be used to gain full account access (TW-82485)Medium2023.05.2CWE-266CVE-2023-39173
TeamCityA ReDoS attack was possible via integration with issue trackers (TW-82283)Medium2023.05.2CWE-1333CVE-2023-39174
TeamCityReflected XSS via GitHub integration was possible (TW-82472)Medium2023.05.2CWE-79CVE-2023-39175
IntelliJ IDEALicense dialog could be suppressed in certain cases. Reported by Bilawal Imdad (IDEA-324171)Low2023.1.4CWE-754CVE-2023-38069
TeamCityStored XSS when using a custom theme was possible (TW-82270)Medium2023.05.1CWE-79CVE-2023-38061
TeamCityParameters of the "password" type could be shown in the UI in certain composite build configurations (TW-82022)Medium2023.05.1CWE-200CVE-2023-38062
TeamCityStored XSS while running custom builds was possible (TW-81723)Medium2023.05.1CWE-79CVE-2023-38063
TeamCityBuild chain parameters of the "password" type could be written to the agent log (TW-81846)Medium2023.05.1CWE-532CVE-2023-38064
TeamCityStored XSS while viewing the build log was possible (TW-81777)Medium2023.05.1CWE-79CVE-2023-38065
TeamCityReflected XSS via the Referer header was possible during artifact downloads (TW-80993)Medium2023.05.1CWE-79CVE-2023-38066
TeamCityBuild parameters of the "password" type could be written to the agent log (TW-80002)Medium2023.05.1CWE-532CVE-2023-38067
YouTrackCaptcha was not properly validated for Helpdesk forms (JT-75029)Medium2023.1.16597CWE-799CVE-2023-38068
YouTrackA DoS attack was possible via Helpdesk forms (JT-75136)High2023.1.10518CWE-400CVE-2023-35053
YouTrackStored XSS in a Markdown-rendering engine was possible (JT-75230)Medium2023.1.10518CWE-79CVE-2023-35054
KtorHeaders containing authentication data could be added to the exception's message (KTOR-5900, Pull Request)Low2.3.1CWE-209CVE-2023-34339
TeamCityBypass of permission checks allowing to perform admin actions was possible. Reported by Isaac Peka (TW-81566)Critical2023.05, 2022.10.4CWE-863CVE-2023-34218
TeamCityImproper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API. Reported by Olof Lindberg (TW-80538)Medium2023.05, 2022.10.4CWE-285CVE-2023-34219
TeamCityStored XSS in the Commit Status Publisher window was possible (TW-80262)Medium2023.05, 2022.10.4CWE-79CVE-2023-34220
TeamCityStored XSS in the Show Connection page was possible (TW-81182)Medium2023.05CWE-79CVE-2023-34221
TeamCityPossible XSS in the Plugin Vendor URL was possible (TW-80378)Medium2023.05CWE-79CVE-2023-34222
TeamCityParameters of the "password" type from build dependencies could be logged in some cases (TW-81338)Medium2023.05CWE-532CVE-2023-34223
TeamCityOpen redirect during oAuth configuration was possible (TW-79888)Medium2023.05CWE-601CVE-2023-34224
TeamCityStored XSS in the NuGet feed page was possible (TW-81031)Medium2023.05CWE-79CVE-2023-34225
TeamCityReflected XSS in the Subscriptions page was possible (TW-80881)Medium2023.05CWE-79CVE-2023-34226
TeamCityA specific endpoint was vulnerable to brute force attacks (TW-80842)Medium2023.05, 2022.10.4CWE-749CVE-2023-34227
TeamCityAuthentication checks were missing – 2FA was not checked for some sensitive account actions (TW-73544)Medium2023.05CWE-308CVE-2023-34228
TeamCityStored XSS in GitLab Connection page was possible (TW-80174)Medium2023.05, 2022.10.4CWE-79CVE-2023-34229
Toolbox AppA DYLIB injection on macOS was possible. Reported by Dimitrie-Toma Furdui (TBX-9047)Medium1.28CWE-691CVE-2022-48481
HubSSRF protection in Auth Module integration was missing (HUB-11380)Medium2023.1.15725CWE-918CVE-2022-48477
KtorPath traversal in the `resolveResource` method was possible. Reported by Vasco Franco (KTOR-5733, Pull Request)High2.3.0CWE-35CVE-2022-48476
PhpStormSource code could be logged in the local idea.log file (WI-71063)Low2023.1CWE-532CVE-2022-48435
IntelliJ IDEAFile content could be disclosed via an external stylesheet path in Markdown preview (IDEA-297583)Medium2023.1CWE-200CVE-2022-48430
IntelliJ IDEAIn some cases, Gradle and Maven projects could be imported without the “Trust Project” confirmation (IDEA-262839)Medium2023.1CWE-345CVE-2022-48431
IntelliJ IDEAThe bundled version of Chromium wasn't sandboxed (IDEA-284121)Medium2023.1CWE-1188CVE-2022-48432
IntelliJ IDEAThe NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server (IDEA-303249)Medium2023.1CWE-522CVE-2022-48433
HubReflected XSS in dashboards was possible (HUB-11421)Medium2022.3.15573, 2022.2.15572, 2022.1.15583CWE-79CVE-2022-48429
TeamCityStored XSS in Perforce connection settings was possible (TW-79891)Medium2022.10.3CWE-79CVE-2022-48426
TeamCityStored XSS on “Pending changes” and “Changes” tabs was possible (TW-80199)Medium2022.10.3CWE-79CVE-2022-48427
TeamCityStored XSS on the SSH keys page was possible (TW-80097)Medium2022.10.3CWE-79CVE-2022-48428
JetBrains MarketplaceThere was a stored XSS vulnerability in the list of suggested plugins (MP-4822)MediumNot applicableCWE-79Not applicable
JetBrains MarketplaceThrottling was not in place for comment creation. Reported by Keroles Magdy (MP-4857)LowNot applicableCWE-770Not applicable
JetBrains WebsiteSSRF leading to AWS metadata disclosure was possible. Reported by Peter Af Geijerstam (JS-17660)MediumNot applicableCWE-918Not applicable
JetBrains WebsiteServer version and stack trace were disclosed to unauthorized users (JS-16718)LowNot applicableCWE-209Not applicable
JetBrains WebsiteIt was possible to launch cookie bomb attacks, leading to DoS. Reported by Multansingh Medtiya (JS-17550)MediumNot applicableCWE-703Not applicable
JetBrains WebsiteThere was a reflected XSS vulnerability in the Space instance registration process. Reported by Rahul Karki (SPACE-17966)MediumNot applicableCWE-79Not applicable
SpaceThrottling was not in place for a password reset. Reported by Hasan Khan (SPACE-17349)LowNot applicableCWE-770Not applicable
TeamCityJVMTI was enabled by default on agents. Reported by Hj Chai (TW-78552)Medium2022.10.2CWE-1188CVE-2022-48342
TeamCityThere was an XSS vulnerability in the user creation process (TW-78783)Medium2022.10.2CWE-79CVE-2022-48343
TeamCityThere was an XSS vulnerability in the group creation process (TW-78786)Medium2022.10.2CWE-79CVE-2022-48344
JetBrains MarketplaceStored XSS in the list of plugin ideas (MP-4824) MediumNot applicableCWE-79Not applicable
JetBrains WebsiteReflected XSS in JetBrains Blog (JS-16355)MediumNot applicableCWE-79Not applicable
IntelliJ IDEAThe "Validate JSP File" action used the HTTP protocol to download required JAR files (IDEA-305732)Medium2022.3.1CWE-319CVE-2022-47895
IntelliJ IDEACode Templates were vulnerable to SSTI attacks. Reported by Krypton (IDEA-306345)Medium2022.3.1CWE-1336CVE-2022-47896
SpaceThe second authentication factor wasn't checked during the password reset. Reported by Bharat (SPACE-15087)MediumNot applicableCWE-304Not applicable
IntelliJ IDEAA buffer overflow in the fsnotifier daemon on macOS was possible (IDEA-302494)Medium2022.2.4CWE-120CVE-2022-46824
IntelliJ IDEAThe built-in web server leaked information about open projects (IDEA-297741)Medium2022.3CWE-200CVE-2022-46825
IntelliJ IDEAThe built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability (IDEA-304713)Medium2022.3CWE-35CVE-2022-46826
IntelliJ IDEAAn XXE attack leading to SSRF via requests to custom plugin repositories was possible (IDEA-302855)Low2022.3CWE-611CVE-2022-46827
IntelliJ IDEAA DYLIB injection on macOS was possible. Independently reported by Anthony Viriya and Kang Ali (IDEA-298179)Medium2022.3CWE-691CVE-2022-46828
JetBrains GatewayA client could connect without a valid token if the host consented (GTW-1786)High2022.3CWE-287CVE-2022-46829
SpaceProfiles were improperly added to random projects, including restricted onesMediumNot applicableCWE-668Not applicable
TeamCityA custom STS endpoint allowed internal port scanning (TW-78415)Medium2022.10.1CWE-918CVE-2022-46830
TeamCityConnecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators (TW-78416)Medium2022.10.1CWE-453CVE-2022-46831
HubThrottling was missed when sending emails to a particular email address. Reported by Keroles Magdy (HUB-11260)Low2022.3.15181CWE-770CVE-2022-45471
TeamCity CloudEBS storage objects were not encrypted (TCC-175)LowNot applicableCWE-311Not applicable
TeamCity CloudPasswords for agent user accounts built from the same image were not randomized (TCC-188)MediumNot applicableCWE-331Not applicable
TeamCityExcessive access permissions for secure token health items (TW-73518)Low2022.10CWE-284CVE-2022-44622
TeamCityProject Viewer could see scrambled secure values in the MetaRunner settings (TW-76796)Medium2022.10CWE-538CVE-2022-44623
TeamCityPassword parameters could be exposed in the build log if they contained special characters (TW-77048)Medium2022.10CWE-532CVE-2022-44624
TeamCityNo audit items were added upon editing a user's settings (TW-75537)Low2022.10CWE-223CVE-2022-44646
JetBrains AccountThrottling was missed on some pages. Reported by Manthan Mahale (JPF-13346)Low2022.09CWE-770Not applicable
TeamCityEnvironmental variables of "password" type could be logged when using custom Perforce executable. Reported by Pierre Hosteins and Yvan Serykh (TW-77474)Medium2022.04.4CWE-532CVE-2022-40979
JetBrains WebsiteOpen redirect on jetbrains.com.cn. Reported by Koutrouss Naddara (JS-17099)MediumNot applicableCWE-601Not applicable
IntelliJ IDEAThe installer was vulnerable to EXE search order hijacking. Reported by Dmitry Zemlyakov (IDEA-295424)High2022.2.2CWE-427CVE-2022-40978
JetBrains WebsiteThe JetBrains blog was vulnerable to CSS injection (JS-16353)LowNot applicableCWE-79Not applicable
KtorKtor was vulnerable to the Reflect File Download attack. Reported by Motoyasu Saburi (KTOR-4669, Pull Request)Medium2.1.0CWE-184CVE-2022-38179
KtorThe wrong authentication provider could be selected in some cases. Reported by Andrew Bryan (KTOR-4618, Pull Request)Medium2.1.0CWE-287CVE-2022-38180
TeamCityThe private SSH key could be written to the server log in some cases (TW-76758)Low2022.04.3CWE-532CVE-2022-38133
RiderTrust and Open Project dialog bypass, leading to local code execution (RIDER-74325, RIDER-74328)Medium2022.2CWE-94CVE-2022-37396
IntelliJ IDEALocal code execution was possible via a Vagrant executable (IDEA-288325)Low2022.2CWE-94CVE-2022-37009
IntelliJ IDEAMissing email address validation in the "Git User Name Is Not Defined" dialog. Reported by Carolos Foscolos (IDEA-291960)Low2022.2CWE-20CVE-2022-37010
TeamCityThe private SSH key could be written to the build log in some cases (TW-76651)Medium2022.04.2CWE-532CVE-2022-36321
TeamCityBuild parameter injection was possible. Reported by Micky Sung (TW-76356)Medium2022.04.2CWE-88CVE-2022-36322
HubInsufficient access control allowed the hijacking of untrusted services in Hub. Reported by Yurii Sanin (HUB-10771)Low2022.2.14799CWE-284CVE-2022-34894
JetBrains WebsitePotential XSS via Origin header. Reported by Nidhin Sabu (JPF-13063)LowNot applicableCWE-79Not applicable
KtorSHA1 implementation in Ktor Native was returning the same value (KTOR-4217, Pull Request)High2.0.1CWE-342CVE-2022-29930
TeamCityReflected XSS on the Build Chain Status page (TW-75231)Medium2022.04CWE-79CVE-2022-29927
TeamCityPossible leak of secrets in TeamCity agent logs (TW-74263, TW-68807)Medium2022.04CWE-532CVE-2022-29928
TeamCityPotential XSS via Referrer header (TW-75605)Low2022.04CWE-79CVE-2022-29929
HubStored XSS via project icon. Reported by Julian Muñoz (HUB-11155)Medium2022.1.14638CWE-79CVE-2022-29811
IntelliJ IDEAInsufficient notification about using Unicode directionality formatting characters (IDEA-284151)Low2022.1CWE-176CVE-2022-29812
IntelliJ IDEALocal code execution via custom Pandoc path (IDEA-288269)Medium2022.1CWE-94CVE-2022-29813
IntelliJ IDEALocal code execution via HTML descriptions in custom JSON schemas (IDEA-283967)Medium2022.1CWE-94CVE-2022-29814
IntelliJ IDEALocal code execution via workspace settings (IDEA-283824, IDEA-283968)Medium2022.1CWE-94CVE-2022-29815
IntelliJ IDEAHTML injection into IDE messages (IDEA-287428)Low2022.1CWE-74CVE-2022-29816
IntelliJ IDEAReflected XSS via error messages in internal web server (IDEA-283994)Low2022.1CWE-79CVE-2022-29817
IntelliJ IDEAFlawed origin checks in the internal web server (IDEA-283586)Low2022.1CWE-346CVE-2022-29818
IntelliJ IDEALocal code execution via links in Quick Documentation (IDEA-289398)Medium2022.1CWE-94CVE-2022-29819
PyCharmExposure of the debugger port to the internal network (PY-52288)Low2022.1CWE-1327CVE-2022-29820
RiderLocal code execution via links in ReSharper Quick Documentation (RIDER-74099)Medium2022.1CWE-94CVE-2022-29821
TeamCity CloudPotential disclosure of built-in OAuth2 connectors' secrets. Reported by Yurii Sanin (TCC-346)HighNot applicableCWE-522Not applicable
TeamCity CloudSession takeover via OAuth client manipulation. Reported by Yurii Sanin (TCC-347, TCC-349, TCC-351)HighNot applicableCWE-345Not applicable
TeamCity CloudSession takeover using open redirect misconfiguration. Reported by Yurii Sanin (TCC-348)HighNot applicableCWE-601Not applicable
TeamCity CloudVCS credentials disclosure via repository URL manipulation. Reported by Yurii Sanin (TCC-355, TCC-358)MediumNot applicableCWE-522Not applicable
KtorRandom values used for nonce generation in Ktor Native weren't using SecureRandom implementations. Reported by Dan Wallach (KTOR-3656, Pull Request)Low2.0.0CWE-330CVE-2022-29035
JetBrains AccountIt was possible to take over accounts linked to outlook.* email addresses via GitHub SSO. Reported by Adrian Weber (JPF-12877)Critical2022.04CWE-697Not applicable
IntelliJ IDEAIt was possible to get passwords from protected fields (IDEA-289085)High2021.3.3CWE-497CVE-2022-28651
YouTrackHTML code from the issue description was being rendered (JT-58282)Medium2022.1.43563CWE-80CVE-2022-28648
YouTrackIt was possible to include an iframe from a third-party domain in the issue description (JT-68626)Medium2022.1.43563CWE-1021CVE-2022-28649
YouTrackIt was possible to inject JavaScript into Markdown in the YouTrack Classic UI (JT-68622)High2022.1.43700CWE-79CVE-2022-28650
HubBlind Server-Side Request Forgery (SSRF). Reported by Yurii Sanin (HUB-11052)Medium2021.1.14276CWE-918CVE-2022-25260
HubReflected XSS. Reported by Yurii Sanin (HUB-10971)Medium2021.1.14276CWE-79CVE-2022-25259
HubSAML request takeover. Reported by Yurii Sanin (HUB-10978)High2022.1.14434CWE-345CVE-2022-25262
JetBrains BlogReflected XSS via tag parameter (BLOG-55)MediumNot applicableCWE-79Not applicable
JetBrains MarketplaceStored XSS via plugin fields (MP-4190, MP-4191, MP-4192, MP-4196, MP-4201)MediumNot applicableCWE-79Not applicable
Kotlin WebsiteClickjacking at talkingkotlin.com (KTL-84)LowNot applicableCWE-1021Not applicable
TeamCityReflected XSS (TW-74044)Medium2021.2.2CWE-79CVE-2022-25261
TeamCityOS command injection in the Agent Push feature configuration. Reported by Cristian Chavez (TW-74822)High2021.2.3CWE-78CVE-2022-25263
TeamCityEnvironmental variables of "password" type could be logged in some cases (TW-74625)Medium2021.2.3CWE-532CVE-2022-25264
YouTrackSSTI via FreeMarker templates. Reported by Matei "Mal" Badanoiu (JT-68075)High2021.4.40426CWE-1336CVE-2022-24442
HubJetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958)High2021.1.13890CWE-732CVE-2022-24327
HubAn unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976)High2021.1.13956CWE-74CVE-2022-24328
IntelliJ IDEACode could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917)Medium2021.2.4CWE-345CVE-2022-24345
IntelliJ IDEAPotential LCE via RLO (Right-to-Left Override) characters (IDEA-284150)Medium2021.3.1CWE-176CVE-2022-24346
JetBrains BlogBlind SQL injection. Reported by Khan Janny (BLOG-45)MediumNot applicableCWE-89Not applicable
KotlinNo ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449)Medium1.6.0CWE-667CVE-2022-24329
Kotlin WebsiteClickjacking at kotlinlang.org (KTL-588)MediumNot applicableCWE-1021Not applicable
Remote DevelopmentUnexpected open port on backend server. Reported by Damian Gwiżdż (GTW-894)High2021.3.1CWE-1327CVE-2021-45977
SpaceMissing permission check in an HTTP API response (SPACE-15991)HighNot applicableCWE-284Not applicable
TeamCityA redirect to an external site was possible (TW-71113)Low2021.2.1CWE-601CVE-2022-24330
TeamCityLogout failed to remove the "Remember Me" cookie (TW-72969)Low2021.2CWE-613CVE-2022-24332
TeamCityGitLab authentication impersonation. Reported by Christian Pedersen (TW-73375)High2021.1.4CWE-285CVE-2022-24331
TeamCityThe "Agent push" feature allowed any private key on the server to be selected (TW-73399)Low2021.2.1CWE-284CVE-2022-24334
TeamCityBlind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465)Medium2021.2CWE-918CVE-2022-24333
TeamCityTime-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468)High2021.2CWE-367CVE-2022-24335
TeamCityAn unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469)Medium2021.2.1CWE-284CVE-2022-24336
TeamCityPull-requests' health items were shown to users without appropriate permissions (TW-73516)Low2021.2CWE-284CVE-2022-24337
TeamCityStored XSS. Reported by Yurii Sanin (TW-73737)Medium2021.2.1CWE-79CVE-2022-24339
TeamCityURL injection leading to CSRF. Reported by Yurii Sanin (TW-73859)Medium2021.2.1CWE-352CVE-2022-24342
TeamCityChanging a password failed to terminate sessions of the edited user (TW-73888)Low2021.2.1CWE-613CVE-2022-24341
TeamCityXXE during the parsing of a configuration file (TW-73932)Medium2021.2.1CWE-611CVE-2022-24340
TeamCityReflected XSS (TW-74043)Medium2021.2.1CWE-79CVE-2022-24338
YouTrackStored XSS on the Notification templates page (JT-65752)Low2021.4.31698CWE-79CVE-2022-24344
YouTrackA custom logo could be set with read-only permissions (JT-66214)Low2021.4.31698CWE-284CVE-2022-24343
YouTrackStored XSS via project icon. Reported by Yurii Sanin (JT-67176)Medium2021.4.36872CWE-79CVE-2022-24347
DataloreServer version disclosure. Reported by Bharat (DL-9447)Low2021.3CWE-209Not applicable
HubInformation disclosure via avatars metadata (HUB-10154)Low2021.1.13690CWE-200CVE-2021-43180
HubPotential DOS via user information. Reported by Bharat (HUB-10804)Low2021.1.13415CWE-20CVE-2021-43182
HubStored XSS. Reported by Dmitry Sherstoboev (HUB-10854)Medium2021.1.13690CWE-79CVE-2021-43181
HubAuthentication throttling mechanism could be bypassed. Reported by Bharat (HUB-10869)Medium2021.1.13690CWE-180CVE-2021-43183
JetBrains AccountAuthentication throttling mechanism could be bypassed. Reported by Bharat (JPF-11933)Medium2021.07CWE-180Not applicable
KtorImproper nonce verification during OAuth2 authentication process. Reported by Ole Schilling Tjensvold (KTOR-3091)Medium1.6.4CWE-303CVE-2021-43203
SpaceAuthentication throttling mechanism could be bypassed. Reported by Bharat (SPACE-15282)LowNot applicableCWE-180Not applicable
SpaceSSRF disclosing EC2 metadata (SPACE-15666)HighNot applicableCWE-918Not applicable
TeamCityUser enumeration was possible (TW-70167)Low2021.1.2CWE-200CVE-2021-43194
TeamCityRCE in agent push functionality. Reported by Eduardo Castellanos (TW-70384)High2021.1.2CWE-78CVE-2021-43193
TeamCityInformation disclosure via Docker Registry connection dialog (TW-70459)Medium2021.1CWE-200CVE-2021-43196
TeamCitySome HTTP Security Headers were missed (TW-71376)Low2021.1.2CWE-693CVE-2021-43195
TeamCityEmail notifications could include unescaped HTML (TW-71981)Low2021.1.2CWE-116CVE-2021-43197
TeamCityInsufficient permissions checks in create patch functionality (TW-71982)Low2021.1.2CWE-285CVE-2021-43199
TeamCityStored XSS (TW-72007)Low2021.1.2CWE-79CVE-2021-43198
TeamCityInsufficient permissions checks in agent push functionality (TW-72177)Low2021.1.2CWE-285CVE-2021-43200
TeamCityX-Frame-Options Header was missed in some cases (TW-72464)Low2021.1.3CWE-693CVE-2021-43202
TeamCityA newly created project could take settings from already deleted project (TW-72521)Medium2021.1.3CWE-459CVE-2021-43201
TeamCity CloudSession takeover using open redirect in OAuth integration. Reported by Yurii Sanin (TCC-277)HighNot applicableCWE-601Not applicable
YouTrackStored XSS (JT-63483)Low2021.3.21051CWE-79CVE-2021-43184
YouTrackHost header injection. Reported by Artem Ivanov (JT-65590)Medium2021.3.23639CWE-601CVE-2021-43185
YouTrackStored XSS. Reported by Artem Ivanov (JT-65749)High2021.3.24402CWE-79CVE-2021-43186
YouTrack InCloudUnsafe EC2 configuration in YouTrack InCloud (JT-63693, JT-63695)LowNot applicableCWE-16Not applicable
YouTrack MobileClient-side caching on iOS (YTM-12961)Low2021.2CWE-524CVE-2021-43187
YouTrack MobileIncomplete access tokens protection in iOS (YTM-12962, YTM-12965, YTM-12966)Low2021.2CWE-311CVE-2021-43188
YouTrack MobileIncomplete access tokens protection in Android (YTM-12964)Low2021.2CWE-311CVE-2021-43189
YouTrack MobileTask Hijacking in Android (YTM-12967)Low2021.2CWE-287CVE-2021-43190
YouTrack MobileiOS URL Scheme hijacking (YTM-12968)Low2021.2CWE-287CVE-2021-43192
YouTrack MobileMissing Security Screen on Android & iOS (YTM-12969)Low2021.2CWE-287CVE-2021-43191
DatalorePotential JWT token takeover using redirect misconfiguration. Reported by Yurii Sanin (DL-9225, JPF-11801)High0.2.2CWE-601Not applicable
DataloreThere was no way to drop all active sessions. Reported by Bharat (DL-9247)High0.3.0CWE-613Not applicable
HubPotentially insufficient CSP for Widget deployment feature (JPS-10736)Low2021.1.13262CWE-1021CVE-2021-37540
HubAccount takeover was possible during password reset. Reported by Viet Nguyen Quoc (JPS-10767)High2021.1.13402CWE-601CVE-2021-36209
HubHTML injection in the password reset email was possible. Reported by Bharat (JPS-10797)Medium2021.1.13402CWE-79CVE-2021-37541
JetBrains AccountOTP could be used several times after the successful validation (JPF-11119)Low2021.04CWE-358Not applicable
JetBrains AccountPotential account takeover via OAuth integration. Reported by Bharat (JPF-11802)High2021.06CWE-918Not applicable
JetBrains WebsiteReflected XSS on jetbrains.com. Reported by Vasu Solanki (JS-14004)LowNot applicableCWE-79Not applicable
RubyMineCode execution without user confirmation was possible for untrusted projects (RUBY-27702)Medium2021.1.1CWE-345CVE-2021-37543
SpaceDeprecated organization-wide package repositories were publicly visible (SPACE-14151)HighNot applicableCWE-284Not applicable
TeamCityPotential XSS (TW-61688)High2020.2.3CWE-79CVE-2021-37542
TeamCityInsecure deserialization (TW-70057, TW-70080)High2020.2.4CWE-502CVE-2021-37544
TeamCityInsufficient authentication checks for agent requests (TW-70166)High2021.1.1CWE-287CVE-2021-37545
TeamCityInsecure key generation for encrypted properties (TW-70201)Low2021.1CWE-335CVE-2021-37546
TeamCityInsufficient checks during file uploading (TW-70546)Medium2020.2.4CWE-434CVE-2021-37547
TeamCityPasswords in plain text sometimes could be stored in VCS (TW-71008)Medium2021.1CWE-540CVE-2021-37548
YouTrackInsufficient sandboxing in workflows (JT-63222, JT-63254)Critical2021.1.11111CWE-648CVE-2021-37549
YouTrackTime-unsafe comparisons were used (JT-63697)Low2021.2.16363CWE-208CVE-2021-37550
YouTrackSystem user passwords were hashed with SHA-256 (JT-63698)Low2021.2.16363CWE-916CVE-2021-37551
YouTrackInsecure PRNG was used (JT-63699)Low2021.2.16363CWE-338CVE-2021-37553
YouTrackStored XSS (JT-64564)Medium2021.2.17925CWE-79CVE-2021-37552
YouTrackUser could see boards without having corresponding permissions (JT-64634)Low2021.3.21051CWE-284CVE-2021-37554
YouTrack InCloudReflected XSS on konnector service in Firefox (JT-63702)LowNot applicableCWE-79Not applicable
Code With MeClient could execute code in read-only mode (CWM-1235)MediumCompatible IDEs 2021.1 versionCWE-285CVE-2021-31899
Code With MeClient could open browser on host (CWM-1769)LowCompatible IDEs 2021.1 versionCWE-285CVE-2021-31900
Exception AnalyzerNo throttling at Exception Analyzer login page. Reported by Ashhad Ali (EXA-760)LowNot applicableCWE-799Not applicable
HubTwo-factor authentication wasn't enabled properly for "All Users" group (JPS-10694)Low2021.1.13079CWE-304CVE-2021-31901
IntelliJ IDEAXXE in License server functionality (IDEA-260143)High2020.3.3CWE-611CVE-2021-30006
IntelliJ IDEACode execution without user confirmation was possible for untrusted projects (IDEA-260911, IDEA-260912, IDEA-260913, IDEA-261846, IDEA-261851, IDEA-262917, IDEA-263981, IDEA-264782)Medium2020.3.3CWE-345CVE-2021-29263
IntelliJ IDEAPossible DoS. Reported by Arun Malik (IDEA-261832)Medium2021.1CWE-770CVE-2021-30504
JetBrains AcademyPotential takeover of a future account with a known email. Reported by Vansh Devgan (JBA-110)LowNot applicableCWE-285Not applicable
JetBrains AccountSensitive account URLs were shared with third parties. Reported by Vikram Naidu (JPF-11338)High2021.02CWE-201Not applicable
JetBrains WebsiteReflected XSS at blog.jetbrains.com. Reported by Peter Af Geijerstam and Jai Kumar (JS-14554, JS-14562)LowNot applicableCWE-79Not applicable
PyCharmCode execution without user confirmation was possible for untrusted projects. Reported by Tony Torralba (PY-41524)Medium2020.3.4CWE-345CVE-2021-30005
SpaceInsufficient CRLF sanitization in user input (SPACE-13955)LowNot applicableCWE-93Not applicable
TeamCityPotential XSS on the test history page (TW-67710)Medium2020.2.2CWE-79CVE-2021-31904
TeamCityTeamCity IntelliJ Plugin DOS. Reported by Jonathan Leitschuh (TW-69070)Low2020.2.2CWE-770CVE-2021-26310
TeamCityLocal information disclosure via temporary file in TeamCity IntelliJ Plugin. Reported by Jonathan Leitschuh (TW-69420)Low2020.2.2CWE-378CVE-2021-26309
TeamCityInsufficient audit when an administrator uploads a file (TW-69511)Low2020.2.2CWE-778CVE-2021-31906
TeamCityImproper permission checks for changing TeamCity plugins (TW-69521)Low2020.2.2CWE-732CVE-2021-31907
TeamCityPotential XSS on the test page. Reported by Stephen Patches (TW-69737)Low2020.2.2CWE-79CVE-2021-3315
TeamCityArgument Injection leading to RCE (TW-70054)High2020.2.3CWE-78CVE-2021-31909
TeamCityStored XSS on several pages (TW-70078, TW-70348)Medium2020.2.3CWE-79CVE-2021-31908
TeamCityInformation disclosure via SSRF (TW-70079)High2020.2.3CWE-918CVE-2021-31910
TeamCityReflected XSS on several pages (TW-70093, TW-70094, TW-70095, TW-70096, TW-70137)Medium2020.2.3CWE-79CVE-2021-31911
TeamCityPotential account takeover during password reset (TW-70303)Medium2020.2.3CWE-640CVE-2021-31912
TeamCityInsufficient checks of the redirect_uri during GitHub SSO token exchange (TW-70358)Low2020.2.3CWE-601CVE-2021-31913
TeamCityArbitrary code execution on TeamCity Server running on Windows. Reported by Chris Moore (TW-70512)High2020.2.4CWE-829CVE-2021-31914
TeamCityCommand injection leading to RCE. Reported by Chris Moore (TW-70541)High2020.2.4CWE-78CVE-2021-31915
TeamCity CloudPotential information disclosure via EC2 instance metadata (TCC-174, TCC-176)LowNot applicableCWE-1230Not applicable
TeamCity CloudTemporary credentials disclosure via command injection. Reported by Chris Moore (TCC-196)HighNot applicableCWE-78Not applicable
UpSourceApplication passwords were not revoked correctly. Reported by Thibaut Zonca (UP-10843)High2020.1.1883CWE-459CVE-2021-30482
WebStormHTTP requests were used instead of HTTPS (WEB-49549)Low2021.1CWE-295CVE-2021-31898
WebStormCode execution without user confirmation was possible for untrusted projects (WEB-49689, WEB-49902)Low2021.1CWE-345CVE-2021-31897
YouTrackStored XSS via attached file. Reported by Mikhail Klyuchnikov (JT-62530)Medium2020.6.6441CWE-79CVE-2021-27733
YouTrackPull request title was sanitized insufficiently (JT-62556)Medium2021.1.9819CWE-79CVE-2021-31903
YouTrackImproper access control during exporting issues (JT-62649)High2020.6.6600CWE-284CVE-2021-31902
YouTrackInformation disclosure in issue preview (JT-62919)High2020.6.8801CWE-200CVE-2021-31905
Code With MeAn attacker in the local network knowing session id could get access to the encrypted traffic. Reported by Grigorii Liullin (CWM-1067)Low2020.3Not applicableCVE-2021-25755
DataloreServer components versions were disclosed (DL-8327, DL-8335)Low0.0.1CWE-200Not applicable
Exception AnalyzerInformation disclosure via Exceptions Analyzer (SDP-1248)LowNot applicableCWE-200Not applicable
HubOpen-redirect was possible. Reported by Mohammed Amine El Attar (JPS-10348)Medium2020.1.12629Not applicableCVE-2021-25757
HubAuthorized user can delete 2FA settings of any other user (JPS-10410)Medium2020.1.12629Not applicableCVE-2021-25759
HubInformation disclosure via public API (JPS-10481)Low2020.1.12669Not applicableCVE-2021-25760
IntelliJ IDEAHTTP links were used for several remote repositories (IDEA-228726)Low2020.2Not applicableCVE-2021-25756
IntelliJ IDEAPotentially insecure deserialization of the workspace model (IDEA-253582)Low2020.3Not applicableCVE-2021-25758
JetBrains AccountAuthorization token was sent as a query parameter within Zendesk integration (JPF-10508)Low2020.11CWE-598Not applicable
JetBrains AccountOpen-redirect was possible (JPF-10660)Low2020.10CWE-601Not applicable
JetBrains WebsiteCross-origin resource sharing was possible. Reported by Ashhad Ali (SDP-1193)LowNot applicableCWE-942Not applicable
JetBrains WebsiteThrottling was not used for the particular endpoint. Reported by Ashhad Ali (SDP-1197)LowNot applicableCWE-799Not applicable
JetBrains WebsiteClickjacking was possible. Reported by Ashhad Ali (SDP-1203)LowNot applicableCWE-1021Not applicable
KotlinVulnerable Java API was used for temporary files and folders creation, which could make temporary files available for other users of a system. Reported by Jonathan Leitschuh (KT-42181)Low1.4.21Not applicableCVE-2020-29582
KtorBirthday attack on SessionStorage key was possible. Reported by Kenta Koyama (KTOR-878)Low1.5.0Not applicableCVE-2021-25761
KtorWeak cipher suites were enabled by default. Reported by Johannes Ulfkjær Jensen (KTOR-895)Low1.4.2Not applicableCVE-2021-25763
KtorHTTP Request Smuggling was possible. Reported by ZeddYu Lu, Kaiwen Shen, Yaru Yang (KTOR-1116)Low1.4.3Not applicableCVE-2021-25762
PhpStormSource code could be added to debug logs (WI-54619)Low2020.3Not applicableCVE-2021-25764
SpacePotential information disclosure via logs (SPACE-9343, SPACE-10969)LowNot applicableCWE-532Not applicable
SpaceAn attacker could obtain limited information via SSRF in repository mirroring test connection (SPACE-9514)HighNot applicableCWE-918Not applicable
SpaceContent-Type header wasn't set for some pages (SPACE-12004)LowNot applicableCWE-531Not applicable
SpaceREST API endpoint was available without appropriate permissions check, which could introduce a potential DOS vector (no real exploit available). (SPACE-12288)LowNot applicableCWE-732Not applicable
TeamCityReflected XSS on several pages (TW-67424, TW-68098)Medium2020.2Not applicableCVE-2021-25773
TeamCityTeamCity server DoS was possible via server integration (TW-68406, TW-68780)Low2020.2.2Not applicableCVE-2021-25772
TeamCityECR token exposure in the build's parameters (TW-68515)Medium2020.2Not applicableCVE-2021-25776
TeamCityUser could get access to GitHub access token of another user (TW-68646)Low2020.2.1Not applicableCVE-2021-25774
TeamCityServer admin could create and see access tokens for any other users (TW-68862)Low2020.2.1Not applicableCVE-2021-25775
TeamCityImproper permissions checks during user deletion (TW-68864)Low2020.2.1Not applicableCVE-2021-25778
TeamCityImproper permissions checks during tokens removal (TW-68871)Low2020.2.1Not applicableCVE-2021-25777
TeamCityTeamCity Plugin SSRF. Vulnerability that could potentially expose user credentials. Reported by Jonathan Leitschuh (TW-69068)High2020.2.85695Not applicableCVE-2020-35667
YouTrackCSRF via attachment upload. Reported by Yurii Sanin (JT-58157)Medium2020.4.4701Not applicableCVE-2021-25765
YouTrackUsers enumeration via REST API without appropriate permissions (JT-59396, JT-59498)Low2020.4.4701Not applicableCVE-2020-25208
YouTrackImproper resource access checks (JT-59397)Low2020.4.4701Not applicableCVE-2021-25766
YouTrackIssue's existence disclosure via the YouTrack command execution (JT-59663)Low2020.6.1767Not applicableCVE-2021-25767
YouTrackImproper permissions checks for the attachments actions (JT-59900)Low2020.4.4701Not applicableCVE-2021-25768
YouTrackYouTrack admin wasn't able to access attachments (JT-60824)Low2020.4.6808Not applicableCVE-2021-25769
YouTrackServer-side template injection in the YouTrack Cloud. Reported by Vasily Vasilkov (JT-61449)High2020.5.3123Not applicableCVE-2021-25770
YouTrackProject information disclosure (JT-61566)Low2020.6.1099Not applicableCVE-2021-25771
IdeaVimIn limited circumstances, IdeaVim might have caused information leak (VIM-2019)High0.58Not applicableCVE-2020-27623
IntelliJ IDEABuilt-in web server could expose information about IDE version (IDEA-240567)Low2020.2Not applicableCVE-2020-27622
JetBrains AccountImproper rate limit. Reported by Ashhad Ali (JPF-11026)Low2020.09CWE-799Not applicable
JetBrains AccountPassword reset token might be disclosed to a third party. Reported by Sheikh Rishad (JPF-11034)Low2020.10CWE-201Not applicable
JetBrains MarketplaceBlind SSRF. Reported by Yurii Sanin (MP-3119)HighNot applicableCWE-918Not applicable
JetBrains WebsiteReflected XSS. Reported by Peter af Geijerstam (JS-13032)MediumNot applicableCWE-79Not applicable
JetBrains WebsiteHTML injection was possible on several pages (JS-13041)MediumNot applicableCWE-79Not applicable
JetBrains WebsiteClickjacking was possible on several pages (JS-13042)LowNot applicableCWE-1021Not applicable
JetBrains WebsiteSSRF on the website. Reported by Mohamed Lahraoui (SDP-1174)LowNot applicableCWE-918Not applicable
KtorHTTP request smuggling was possible. Reported by ZeddYu Lu and Kaiwen Shen (KTOR-841)Medium1.4.1Not applicableCVE-2020-26129
SpaceUnauthorized access to environment variables containing private data (SPACE-10723)MediumNot applicableCWE-532Not applicable
TeamCityURL injection was possible (TW-44171)Low2020.1.2Not applicableCVE-2020-27627
TeamCityGuest user had access to audit records (TW-67750)Medium2020.1.5Not applicableCVE-2020-27628
TeamCitySecure dependency parameters could be not masked in depending builds when there are no internal artifacts (TW-67775)High2020.1.5Not applicableCVE-2020-27629
Toolbox AppLimited RCE via jetbrains protocol handler. Reported by Jeffrey van Gogh and Yuriy Solodkyy (SDP-1177)Low1.18Not applicableCVE-2020-25207
Toolbox AppDenial of service via jetbrains protocol handler (TBX-5281)Low1.18.7455Not applicableCVE-2020-25013
YouTrackBlind SSRF. Reported by Yurii Sanin (JT-58015)Low2020.3.888Not applicableCVE-2020-27624
YouTrackNotifications might have mentioned inaccessible issues (JT-58329)Low2020.3.888Not applicableCVE-2020-27625
YouTrackSSRF in YouTrack InCloud. Reported by Yurii Sanin (JT-58962)Medium2020.3.5333Not applicableCVE-2020-27626
YouTrackImproper access control allowed retrieving issue description without appropriate access. Reported by Yurii Sanin (JT-59015)Critical2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.3.65516, 2019.2.65515, 2019.1.65514Not applicableCVE-2020-24618
YouTrackImproper access control for some subresources leads to information disclosure. Reported by Yurii Sanin (JT-59130)Medium2020.3.6638Not applicableCVE-2020-25209
YouTrackAn attacker could access workflow rules without appropriate access grants (JT-59474)High2020.3.7955Not applicableCVE-2020-25210
YouTrack MobileInformation disclosure via application backups. Reported by Cristi Vlad (YTM-5518)Low2020.2.0Not applicableCVE-2020-24366
DataloreStack trace disclosure. (DL-7350)Low0.0.1CWE-536Not applicable
DataloreReverse tabnabbing was possible. (DL-7708)Low0.0.1CWE-1022Not applicable
JetBrains AccountMissed throttling for reset password functionality in case of 2FA enabled. Reported by Manu Pranav. (JPF-10527)Medium2020.06CWE-799Not applicable
JetBrains WebsiteStack trace disclosure in case of incorrect character in request. (JS-12490)LowNot applicableCWE-536Not applicable
JetBrains WebsiteReflected XSS on jetbrains.com subdomain. Reported by Ritik Chaddha. (JS-12562)LowNot applicableCWE-79Not applicable
JetBrains WebsiteOpen-redirect issues on kotlinconf.com. Reported by Ritik Chaddha. (JS-12581)LowNot applicableCWE-601Not applicable
JetBrains WebsiteClickjacking was possible at a non-existent page. Reported by Pravas Ranjan Kanungo. (JS-12835)LowNot applicableCWE-1021Not applicable
KotlinScript cache privilege escalation vulnerability. Reported by Henrik Tunedal. (KT-38222)Medium1.4.0Not applicableCVE-2020-15824
SpaceDraft title was disclosed to a user without access to the draft. (SPACE-5594)LowNot applicableCWE-200Not applicable
SpaceMissing authorisation check caused privilege escalation. Reported by Callum Carney. (SPACE-8034)HighNot applicableCWE-266Not applicable
SpaceBlind SSRF via calendar import. Reported by Yurii Sanin. (SPACE-8273)MediumNot applicableCWE-918Not applicable
SpaceThe drafts of the direct messages sent from iOS app could be sent to the channel. (SPACE-8377)LowNot applicableCWE-200Not applicable
SpaceChat messages are propagated to the browser console. (SPACE-8386)HighNot applicableCWE-215Not applicable
SpaceMissed authentication checks in Space Automation. (SPACE-8431)CriticalNot applicableCWE-306Not applicable
SpaceMissed authentication checks in Job related API. (SPACE-8822)LowNot applicableCWE-306Not applicable
SpaceIncorrect checks of public key content. (SPACE-9169)MediumNot applicableCWE-287Not applicable
SpaceStored XSS via repository resource. (SPACE-9277)HighNot applicableCWE-79Not applicable
TeamCityUsers were able to assign more permissions than they had. (TW-36158)Low2020.1Not applicableCVE-2020-15826
TeamCityUsers with "Modify group" permission can elevate other users privileges. (TW-58858)Medium2020.1Not applicableCVE-2020-15825
TeamCityPassword parameters could be disclosed via build logs. (TW-64484)Low2019.2.3Not applicableCVE-2020-15829
TeamCityProject parameter values could be retrieved by a user without appropriate permissions. (TW-64587)High2020.1.1Not applicableCVE-2020-15828
TeamCityReflected XSS on administration UI. (TW-64668)High2019.2.3Not applicableCVE-2020-15831
TeamCityStored XSS on administration UI. (TW-64699)High2019.2.3Not applicableCVE-2020-15830
Toolbox AppMissed signature on "jetbrains-toolbox.exe". (TBX-4671)Low1.17.6856Not applicableCVE-2020-15827
UpSourceUnauthorised access was possible through error in accounts linking. (SDP-940)Low2020.1Not applicableCVE-2019-19704
YouTrackSubtasks workflow could disclose issue existence. (JT-45316)Low2020.2.8527Not applicableCVE-2020-15818
YouTrackAn external user could execute commands against arbitrary issues. (JT-56848)High2020.1.1331Not applicableCVE-2020-15817
YouTrackSSRF vulnerability that allowed scanning internal ports. Reported by Evren Yalçın. (JT-56917)Low2020.2.10643Not applicableCVE-2020-15819
YouTrackMarkdown parser could disclose hidden file existence. (JT-57235)Low2020.2.6881Not applicableCVE-2020-15820
YouTrackA user without permission was able to create articles draft. (JT-57649)Medium2020.2.6881Not applicableCVE-2020-15821
YouTrackAWS metadata of YouTrack InCloud instance disclosure via SSRF in Workflow. Reported by Yurii Sanin. (JT-57964)High2020.2.8873Not applicableCVE-2020-15823
YouTrackSSRF was possible due to the fact that URL filtering could be escaped. Reported by Yurii Sanin. (JT-58204)Low2020.2.10514Not applicableCVE-2020-15822
YouTrack InCloudPossibility to change redirect from any existing YouTrack InCloud instance to other instance. (JT-57036)Medium2020.1.3588CWE-601Not applicable
DataloreUser's SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833)Medium0.0.1CWE-639Not applicable
DataloreSSRF could be caused by an attached file. Reported by Callum Carney (DL-7836)High0.0.1CWE-918Not applicable
GoLandPlain HTTP was used to access plugin repository (GO-8694)Low2019.3.2Not applicableCVE-2020-11685
HubContent spoofing at Hub OAuth error message was possible (JPS-10093)Medium2020.1.12099Not applicableCVE-2020-11691
IntelliJ IDEALicense server could be resolved to untrusted host in some cases (IDEA-219748)High2020.1Not applicableCVE-2020-11690
JetBrains AccountNon-unique QR codes were generated during consequentattempts to setup 2FA (JPF-10149)Low2020.01CWE-342Not applicable
JetBrains AccountClickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154) Medium2020.01CWE-1021Not applicable
JetBrains AccountCustomer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301)High2020.03CWE-200Not applicable
JetBrains AccountCountry value coming from a user wasn't correctly validated (JPF-10258)High2020.02CWE-285Not applicable
JetBrains AccountInformation disclosure from JetBrains Account was possible via "Back" button. Reported by Ratnadip Gajbhiye (JPF-10266)Low2020.02CWE-200Not applicable
JetBrains MarketplaceUploading malicious file via Screenshots form could cause XSS (MP-2637)MediumNot applicableCWE-79Not applicable
JetBrains WebsiteReflected XSS at jetbrains.com was possible. Reported by Rahad Chowdhury (JS-11769)HighNot applicableCWE-79Not applicable
PyCharmApple Notarization Service credentials were included to PyCharm distributive for Windows reported by Ruby Nealon (IDEA-232217)High2019.3.3, 2019.2.6Not applicableCVE-2020-11694
SpaceSession timeout period was configured improperly (SPACE-4717)LowNot applicableNot applicableCVE-2020-11795
SpaceStored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556)MediumNot applicableNot applicableCVE-2020-11416
SpacePassword authentication implementation was insecure (SPACE-7282)HighNot applicableNot applicableCVE-2020-11796
TeamCityPasswords values were shown not being masked on several pages (TW-64186)Low2019.2.2Not applicableCVE-2020-11687
TeamCityProject administrator was able to see scrambled password parameters used in a project (TW-58099)Medium2019.2.2Not applicableCVE-2020-11938
TeamCityProject administrator was able to retrieve some TeamCity server settings (TW-61626)Low2019.1.4Not applicableCVE-2020-11686
TeamCityApplication state kept alive after a user ends his session (TW-61824)Low2019.2.1Not applicableCVE-2020-11688
TeamCityA user without appropriate permissions was able import settings from settings.kts (TW-63698)Low2019.2.1Not applicableCVE-2020-11689
YouTrackDB export was accessible to read-only administrators (JT-56001)Low2020.1.659Not applicableCVE-2020-11692
YouTrackDoS could be performed by attaching malformed TIFF to an issue. Reported by Chris Smith (JT-56407)High2020.1.659Not applicableCVE-2020-11693
IDETalk pluginXXE in IDETalk plugin. (IDEA-220136 reported by Srikanth Ramu)Medium193.4099.10Not applicableCVE-2019-18412
IntelliJ IDEASome Maven repositories are accessed via HTTP instead of HTTPs. (IDEA-216282)High2019.3Not applicableCVE-2020-7904
IntelliJ IDEAPorts listened to by IntelliJ IDEA are exposed to the network. (IDEA-219695)Low2019.3Not applicableCVE-2020-7905
IntelliJ IDEAXSLT debugger plugin misconfiguration allows arbitrary file read over network. (IDEA-216621 reported by Anatoly Korniltsev)Medium2019.3Not applicableCVE-2020-7914
JetBrains AccountProfile names are exposed by email. (JPF-9219 reported by Timon Birk)Low2019.11CWE-200Not applicable
JetBrains AccountMissing secure flag for cookie. (JPF-9857)Low2019.11CWE-614Not applicable
JetBrains AccountInsufficient authentication on contact view. (JPF-10024)High2019.11CWE-287Not applicable
JetBrains AccountInsufficient authentication on role update. (JPF-10025)High2019.11CWE-287Not applicable
JetBrains AccountXSS on the spending report page. (JPF-10027)Medium2019.12CWE-79Not applicable
JetBrains AccountOpen redirect during re-acceptance of license agreements. (JPF-10028)Low2019.11CWE-601Not applicable
JetBrains AccountInformation exposure during processing of license requests. (JPF-10111)High2019.12CWE-200Not applicable
JetBrains MarketplaceXSS on several pages. (MP-2617, MP-2640, MP-2642)LowNot applicableCWE-79Not applicable
JetBrains MarketplaceImproper access control during plugins upload. (MP-2695)CriticalNot applicableCWE-284Not applicable
JetBrains WebsiteCookie XSS at jetbrains.com. (JS-10969)HighNot applicableCWE-79Not applicable
KtorThe Ktor framework is vulnerable to HTTP Response Splitting. Reported by Jonathan LeitschuhHigh1.2.6Not applicableCVE-2019-19389
KtorThe Ktor client resends authorization data to a redirect location. Reported by Jonathan LeitschuhLow1.2.6Not applicableCVE-2019-19703
KtorRequest smuggling is possible when both chunked Transfer-Encoding and Content-Length are specified. Reported by Jonathan LeitschuhLow1.3.0Not applicableCVE-2020-5207
RiderUnsigned binaries in Windows installer. (RIDER-30393)Medium2019.3Not applicableCVE-2020-7906
Scala pluginArtifact dependencies were resolved over unencrypted connections. (SCL-15063)High2019.2.1Not applicableCVE-2020-7907
TeamCityReverse Tabnabbing is possible on several pages. (TW-61710, TW-61726, TW-61727)Low2019.1.5Not applicableCVE-2020-7908
TeamCitySome server-stored passwords can be shown via web UI. (TW-62674)High2019.1.5Not applicableCVE-2020-7909
TeamCityPossible stored XSS attack by a user with a developer role. (TW-63298)Medium2019.2Not applicableCVE-2020-7910
TeamCityStored XSS on user-level pages. (TW-63160)High2019.2Not applicableCVE-2020-7911
YouTrackCORS misconfiguration on youtrack.jetbrains.com. (JT-53675)MediumNot applicableCWE-346Not applicable
YouTrackSMTP/Jabber settings can be accessed using backups. (JT-54139)Medium2019.2.59309Not applicableCVE-2020-7912
YouTrackXSS via image upload at youtrack-workflow-converter.jetbrains.com. (JT-54589)LowNot applicableCWE-80Not applicable
YouTrackXSS via issue description. (JT-54719)High2019.2.59309Not applicableCVE-2020-7913
HubUsername enumeration was possible through password recovery. JPS-9655, JPS-9938Low2019.1.11738Not applicableCVE-2019-18360
IntelliJ IDEALocal user privilege escalation potentially allowed arbitrary code execution. IDEA-216623Low2019.2Not applicableCVE-2019-18361
JetBrains AccountAccount removal without re-authentication was possible. JPF-9611 reported by Siamul Islam.Medium2019.9CWE-306Not applicable
JetBrains AccountPassword reset link was not invalidated during password change through profile. JPF-9610 reported by Elliot V. Daniel.Medium2019.8CWE-613Not applicable
MPSPorts listened to by MPS are exposed to the network. MPS-30661Low2019.2.2Not applicableCVE-2019-18362
TeamCityAccess could be gained to the history of builds of a deleted build configuration under some circumstances. TW-60957Medium2019.1.2Not applicableCVE-2019-18363
TeamCityInsecure Java Deserialization could potentially allow RCE. TW-61928 reported by Aleksei "GreenDog" Tiurin.Medium2019.1.4Not applicableCVE-2019-18364
TeamCityReverse tabnabbing was possible on several pages. TW-61323, TW-61725,TW-61726, TW-61646,TW-62123Low2019.1.4Not applicableCVE-2019-18365
TeamCitySecure values could be exposed to users with the ‘View build runtime parameters and data’ permission.Low2019.1.2Not applicableCVE-2019-18366
TeamCityA non-destructive operation could be performed by a user without the corresponding permissions. TW-61107Low2019.1.2Not applicableCVE-2019-18367
Toolbox AppPrivilege escalation was possible in the JetBrains Toolbox App for Windows.TBX-3759Low1.15.5666Not applicableCVE-2019-18368
YouTrackRemoving tags from issues list without corresponding permission was possible. JT-53465Low2019.2.55152Not applicableCVE-2019-18369
YouTrack InCloudSending of arbitrary spam email from a Youtrack instance was possible. JT-54136, ADM-13823, ADM-34971LowNot applicableCWE-285Not applicable
Exception AnalyzerInsecure transfer of JetBrains Account credentials. EXA-652CriticalNot applicableCWE-598Not applicable
HubNo way to set a password to expire automatically. JPS-8816Low2018.4.11436Not applicableCVE-2019-14955
IdeaVimProject data appeared in user level settings. VIM-1184Medium0.52Not applicableCVE-2019-14957
IntelliJ IDEAResolving artifacts using an http connection, potentially allowing an MITM attack. IDEA-211231High2019.2Not applicableCVE-2019-14954
JetBrains AccountAuthorized account enumeration. JPF-9370Low2019.5CWE-204Not applicable
JetBrains AccountCross-origin resource sharing misconfiguration (Reported by Vishnu Vardhan). JPF-9095Low2019.5CWE-942Not applicable
JetBrains AccountNo rate limitation on the account details page. JPF-9704Medium2019.8CWE-770Not applicable
JetBrains AccountNo rate limitation on the licenses page. JPF-9713High2019.9CWE-770Not applicable
JetBrains AccountUnauthorized disclosure of license email on the licenses page. JPF-9692Critical2019.8CWE-284Not applicable
JetBrains WebsiteReflected XSS. JS-9853MediumNot applicableCWE-79Not applicable
KtorCommand injection through LDAP username.Medium1.2.0-rc, 1.2.0Not applicableCVE-2019-12736
KtorPredictable Salt for user credentials.Medium1.2.0-rc2, 1.2.0Not applicableCVE-2019-12737
PyCharmRemote call causing an “out of memory” error was possible. PY-35251Low2019.2Not applicableCVE-2019-14958
ReSharperDLL hijacking vulnerability. RSRP-473674High2019.2Not applicableCVE-2019-16407
RiderUnsigned DLL was used in a distributive. RIDER-27708Medium2019.1.2Not applicableCVE-2019-14960
TeamCityPreviously used unencrypted passwords were suggested by a web browser’s auto-completion. TW-59759Low2019.1CWE-200Not applicable
TeamCityVMWare plugin did not check SSL certificate. TW-59562Medium2019.1Not applicableCVE-2019-15042
TeamCityRemote Code Execution on the server with certain network configurations. TW-60430Medium2019.1Not applicableCVE-2019-15039
TeamCityProject administrator could get unauthorized access to server-level data. TW-60220High2019.1Not applicableCVE-2019-15035
TeamCityProject administrator could execute any command on the server machine. TW-60219High2019.1Not applicableCVE-2019-15036
TeamCitySecurity has been tightened thanks to using additional HTTP headers. TW-59034High2019.1Not applicableCVE-2019-15038
TeamCityPossible XSS vulnerabilities on the settings pages. TW-59870, TW-59852, TW-59817, TW-59838, TW-59816High2019.1Not applicableCVE-2019-15037
TeamCityXSS vulnerability. TW-61242, TW-61315High2019.1.2Not applicableCVE-2019-15848
Toolbox AppUnencrypted connection to external resources, potentially allowed an MITM attack. TBX-3327, ADM-30275Low1.15.5605CWE-311CVE-2019-14959
UpSourceInsufficient escaping of code blocks. UP-10387Medium2019.1.1412Not applicableCVE-2019-14961
UpSourceCredentials exposure via RPC command. UP-10344Critical2018.2.1290Not applicableCVE-2019-12156
UpSourceCredentials exposure via RPC command. UP-10343Critical2018.2.1293Not applicableCVE-2019-12157
YouTrackA user could get a list of project names under certain conditions. JT-53162Low2019.2.53938Not applicableCVE-2019-14956
YouTrackStored XSS via issue attachments. JT-51077High2019.2.53938Not applicableCVE-2019-14953
YouTrackStored XSS on the issue page. JT-54121High2019.2.56594Not applicableCVE-2019-16171
YouTrackStored XSS in the issues list. JT-52894High2019.1.52584Not applicableCVE-2019-14952
YouTrackA compromised URL was automatically whitelisted by YouTrack. JT-47653Low2019.1.52545Not applicableCVE-2019-15041
YouTrackCross-Site Request Forgery. JT-30098Low2019.1Not applicableCVE-2019-15040
CLionThe suggested WSL configuration exposed a local SSH server to the internal network. CPP-15063MediumNot applicableCWE-276Not applicable
HubA user password could appear in the audit events for certain server settings. JPS-7895High2018.4.11298Not applicableCVE-2019-12847
IntelliJ IDEAThe default configuration for Spring Boot apps was not secure. IDEA-204439High2018.3.4, 2019.1Not applicableCVE-2019-9186
IntelliJ IDEAThe application server configuration allowed cleartext storage of secrets. IDEA-201519, IDEA-202483, IDEA-203271High2018.1.8, 2018.2.8, 2018.3.5, 2019.1Not applicableCVE-2019-9872
IntelliJ IDEAThe implementation of storage in the KeePass database was not secure. IDEA-200066Low2018.3, 2019.1CWE-922Not applicable
IntelliJ IDEAA certain application server configuration allowed cleartext storage of secrets. IDEA-199911Low2018.3CWE-317Not applicable
IntelliJ IDEAA certain application server configuration allowed cleartext storage of secrets. IDEA-203613Medium2018.1.8, 2018.2.8, 2018.3.5Not applicableCVE-2019-9823
IntelliJ IDEAA certain remote server configurations allowed cleartext storage of secrets. IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557High2019.1Not applicableCVE-2019-9873
IntelliJ IDEAThe run configuration of certain application servers allowed remote code execution while running the server with the default settings. IDEA-204570High2017.3.7, 2018.1.8, 2018.2.8, 2018.3.4Not applicableCVE-2019-10104
JetBrains AccountAn open redirect vulnerability via the backUrl parameter was detected. JPF-8899MediumNot applicableCWE-601Not applicable
JetBrains AccountThe host header injection vulnerability was detected at account.jetbrains.com. ADM-20535MediumNot applicableCWE-444Not applicable
JetBrains MarketplaceSome HTTP Security Headers were missing. MP-2004MediumNot applicableCWE-693Not applicable
JetBrains MarketplaceA reflected XSS was detected. MP-2001MediumNot applicableCWE-79Not applicable
JetBrains MarketplaceA CSRF vulnerability was detected. MP-2002MediumNot applicableCWE-352Not applicable
JetBrains WebsiteA reflected XSS was detected. JT-51074LowNot applicableCWE-79Not applicable
KotlinThe JetBrains Kotlin project was resolving artifacts using anhttp connection during the build process, potentially allowing an MITM attack.Medium1.3.30Not applicableCVE-2019-10101
Kotlin plugin for IntelliJIntelliJ IDEA projects created using the KotlinIDE template were resolving artifacts using an http connection, potentially allowing an MITM attack.Medium1.3.30Not applicableCVE-2019-10102
PyCharmA certain remote server configuration allowed cleartext storage of secrets. PY-32885Medium2018.3.2CWE-209Not applicable
TeamCityA possible stored JavaScript injection was detected. TW-59419Medium2018.2.3Not applicableCVE-2019-12844
TeamCityThe generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. TW-59379Medium2018.2.3Not applicableCVE-2019-12845
TeamCityA possible stored JavaScript injection requiring a deliberate server administrator action was detected. TW-55640Medium2018.2.3Not applicableCVE-2019-12843
TeamCityIncorrect handling of user input in ZIP extraction. TW-57143Medium2018.2.2Not applicableCVE-2019-12841
TeamCityA reflected XSS on a user page was detected. TW-58661Medium2018.2.2Not applicableCVE-2019-12842
TeamCityA user without the required permissions could gain access to some settings. TW-58571Medium2018.2.2Not applicableCVE-2019-12846
YouTrackAn SSRF attack was possible on a YouTrack server. JT-51121High2018.4.49168Not applicableCVE-2019-12852
YouTrackAn Insecure Direct Object Reference was possible. JT-51103Low2018.4.49168Not applicableCVE-2019-12866
YouTrackCertain actions could cause privilege escalation for issue attachments. JT-51080Medium2018.4.49168Not applicableCVE-2019-12867
YouTrackA query injection was possible. JT-51105Low2018.4.49168Not applicableCVE-2019-12850
YouTrackA CSRF vulnerability was detected in one of admin endpoints. JT-51110Medium2018.4.49852Not applicableCVE-2019-12851
YouTrackThe YouTrack Confluence plugin allowed the SSTI vulnerability. JT-51594Medium1.8.1.3Not applicableCVE-2019-10100
YouTrack InCloudAn unauthorized disclosure of license details to an attacker #2 was possible. JT-51117LowNot applicableCWE-284Not applicable
HubAdmin account takeover of a system authorized with Hub was possible. JPS-9594Critical2018.3.11035Not applicableNot applicable
HubXXE was possible. JPS-9616, UP-10218High2018.4.11067Not applicableNot applicable
JetBrains AccountDisclosure of email address within unsuccessful login attempt. JPF-8663High4.11Not applicableNot applicable
TeamCityReflected XSS on user-level pages. TW-58065, TW-58234High2018.2Not applicableNot applicable
TeamCityStored XSS on the build details page. TW-58129, TW-58138High2018.2Not applicableNot applicable
TeamCityExposure of sensitive parameter value to a privileged user was possible. TW-56946Medium2018.1.3Not applicableNot applicable
UpSourceA privileged user had access to user credentials in rare case. UP-10092Medium2018.2.1141Not applicableNot applicable
YouTrackUnauthorized access to project and user details with guest user banned was possible. JT-50970, JT-49827, JT-50611, JT-50203High2018.3.47010Not applicableNot applicable
YouTrackStored XSS on YouTrack issue page. JT-50201Low2018.3.47965Not applicableNot applicable
YouTrack InCloudUnauthorized disclosure of YouTrack InCloud subscription information was possible. JPF-8714, JT-51001High2018.4.48293Not applicableNot applicable
YouTrack InCloudUnauthorized access to the email address of YouTrack InCloud was possible. JT-50946High2018.4.48293Not applicableNot applicable
dotPeekRemote Code Execution was possible while operating specific files. DOTP-7635High2018.1.4Not applicableNot applicable
HubHub stored license information in log files. JPS-9187Low2018.2.10527Not applicableNot applicable
IntelliJ IDEAInsecure connection used to access JetBrains resources. IDEA-187601, IDEA-192440Medium2018.1.5Not applicableNot applicable
IntelliJ IDEAIncorrect handling of user input in ZIP extraction. IDEA-191679, IDEA-191680, IDEA-193358High2018.2Not applicableNot applicable
JetBrains AccountA few customer profiles were made available without authorization. JPF-8211MediumNot applicableNot applicableNot applicable
JetBrains AccountIt was possible to obtain customer business email from order reference. JPF-7903MediumNot applicableNot applicableNot applicable
JetBrains MarketplaceXXE vulnerability. MP-1708LowNot applicableNot applicableNot applicable
JetBrains MarketplaceIncorrect handling of user input in ZIP extraction. MP-1678MediumNot applicableNot applicableNot applicable
ReSharperIncorrect handling of user input in ZIP extraction. RSRP-470115High2018.1.3Not applicableNot applicable
TeamCityCSRF vulnerability. TW-55992Medium2018.1.1Not applicableNot applicable
TeamCityChange of project settings can corrupt settings of other projects. TW-55704Low2018.1.1Not applicableNot applicable
TeamCityPossible privilege escalation while viewing agent details. TW-56025Medium2018.1.1Not applicableNot applicable
TeamCityPossible unvalidated redirect. TW-56085Medium2018.1.2Not applicableNot applicable
TeamCityReflected XSS vulnerabilities. TW-56490, TW-56375, TW-56374Medium2018.1.2Not applicableNot applicable
TeamCityStored XSS vulnerabilities. TW-56830, TW-56719Medium2018.1.3Not applicableNot applicable
TeamCityStored XSS vulnerabilities. TW-55214, TW-56126, TW-56127, TW-56452, TW-56571Medium2018.1.2Not applicableNot applicable
YouTrackReflected XSS vulnerability. JT-48606Medium2018.2.45073Not applicableNot applicable
YouTrackPossible privilege escalation via deprecated REST API. JT-48605Low2018.2.45073Not applicableNot applicable
YouTrackPossible tabnabbing via issue content. JT-47993Low2018.2.44329Not applicableNot applicable
HubClickJacking vulnerability. JPS-7209Low2017.4.8040Not applicableNot applicable
HubClickJacking vulnerability. JPS-8009Low2018.2.9541Not applicableNot applicable
IntelliJ IDEAROBOT attack vulnerability in certain subsystems. IDEA-183912Low2018.1.3Not applicableNot applicable
Scala pluginPossible unauthenticated access to local compile server. SCL-13584Medium2018.2Not applicableNot applicable
TeamCityPossible privilege escalation to server administrator. TW-55209High2018.1Not applicableNot applicable
TeamCityCSRF attack vulnerability. TW-55210High2018.1Not applicableNot applicable
TeamCityPossible privilege escalation from project administrator to server administrator. TW-55211, TW-55684High2018.1Not applicableNot applicable
TeamCityPossible unauthorized removal of installation data by project administrator. TW-54876High2018.1Not applicableNot applicable
TeamCityNetwork access to an agent allowed potential unauthorized control over the agent. TW-49335Medium2018.1Not applicableNot applicable
TeamCityIn a very specific scenario, an attacker could steal web responses meant for other users. TW-54486Medium2018.1Not applicableNot applicable
TeamCityStored XSS vulnerabilities on various pages. TW-27206, TW-54129, TW-55453, TW-55215, TW-55217, TW-55353Medium2018.1Not applicableNot applicable
TeamCityProject viewer could delete non-critical project settings. TW-55261Medium2018.1Not applicableNot applicable
TeamCityNetwork access to a server allowed potential read access to project settings. TW-54870Medium2018.1Not applicableNot applicable
TeamCityProject viewer could affect details of some running builds. TW-54975Medium2018.1Not applicableNot applicable
TeamCityReflected XSS vulnerabilities on various pages. TW-55212, TW-55213Medium2018.1Not applicableNot applicable
TeamCityUser self-registration might have been enabled by default on new server installation. TW-54741Medium2017.2.4, 2018.1Not applicableNot applicable
TeamCityPossible vulnerability to ClickJacking attack from TeamCity UI. TW-33819Medium2017.2.4, 2018.1Not applicableNot applicable
TeamCityProject viewer could bypass the "View build runtime parameters and data" permission. TW-55502Low2018.1Not applicableNot applicable
TeamCityNetwork access to a server exposed a vulnerability to DoS attacks. TW-11984Low2018.1Not applicableNot applicable
TeamCityPotential to pass authorization cookies without secure flags. TW-55141Low2018.1Not applicableNot applicable
UpSourceVulnerability to ClickJacking attack. UP-9673Medium2018.1Not applicableNot applicable
UpSourcePossible privilege escalation during the configuration process. BND-1154, BND-1579, UP-7359. Reported by Zhiyong Feng from Mobike Security TeamLow2018.1Not applicableNot applicable
YouTrackStored XSS vulnerabilities from specific pages. JT-47824High2018.2.42881Not applicableNot applicable
YouTrackPotential for unauthorized users to view names of SSL keys. JT-47685Low2018.2.42881Not applicableNot applicable
YouTrackSwimlane functionality allowed unauthorized changes to a limited number of issue properties. JT-47125Low2018.2.42133Not applicableNot applicable
dotTracedotTrace allowed privilege escalation (PROF-668)Critical2017.1, 2017.2, 2017.3, 2018.1Not applicableNot applicable
HubLimitation of login attempts at hub.jetbrains.com was disabled (JPS-7627)Low2018.1.9041Not applicableNot applicable
HubIt was possible to obtain a new access token for a banned user (JPS-7553)Low2017.4.8440Not applicableNot applicable
IntelliJ IDEAYourKit profiler port was available externally in EAP builds for Linux (IDEA-184795)Low2018.1Not applicableNot applicable
JetBrains AccountPrivilege escalation was possible for JetBrains Account activity log (JPF-7437)MediumNot applicableNot applicableNot applicable
JetBrains AccountValid password links might remain upon password reset (JPF-7335)LowNot applicableNot applicableNot applicable
TeamCityVCS preview allowed XSS attack (TW-54027)Medium2017.2.3Not applicableNot applicable
TeamCityData Directory preview allowed XSS attack (TW-54021)Low2017.2.3Not applicableNot applicable
TeamCityvmWare plugin settings allowed XSS attack (TW-53984)High2017.2.3Not applicableNot applicable
TeamCityVCS settings allowed XSS attack (TW-53943, TW-53978)High2017.2.3Not applicableNot applicable
TeamCityAuthentication bypass was possible with certain Windows server configuration (TW-53507)Medium2017.2.2Not applicableNot applicable
TeamCityProject administrator could run arbitrary code (TW-50054)High2017.2.2Not applicableNot applicable
TeamCityBuild fields allowed XSS attack (TW-53466)Medium2017.2.2Not applicableNot applicable
TeamCityMultiple XSS vulnerabilities (reported by Viktor Gazdag of NCC Group) (TW-53442)High2017.2.2Not applicableNot applicable
UpSourceMultiple XSS vulnerabilities (Reported by Viktor Gazdag of NCC Group) (UP-9606)Medium2017.3.2888Not applicableNot applicable
YouTrackRSS feed allowed unauthorized access to comments with certain configuration (JT-46375)Medium2018.1.40341Not applicableNot applicable
YouTrackREST API allowed unauthorized access to attachments of hidden comments (JT-46004)Medium2018.1.40341Not applicableNot applicable
YouTrackRSS feed allowed unauthorized access to issues list with certain configuration (JT-46159)High2018.1.40066Not applicableNot applicable
YouTrackCustom fields allowed privilege escalation for guest user account (JT-46115)Medium2018.1.40025Not applicableNot applicable
YouTrackIssue linking permission bypassing was available via "Create issue linked as..." (JT-25321)Medium2017.4.39533Not applicableNot applicable
YouTrackUnauthorized access to issue content was possible even if guest user access was restricted in the bundle installer (JT-45284)Low2017.4.39083Not applicableNot applicable
YouTrackActivity records for private fields were available to users with read-only permissions (JT-45282)Medium2017.4.39083Not applicableNot applicable
Product
Select item
Fix version
Select item