CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
85.8%
FYI Security
In the third quarter of 2019, we resolved a series of security issues in our products.
Here’s a summary report that contains a description of each issue and the version in which it was resolved.
Product | Description | Severity | Resolved in | CVE/CWE |
---|---|---|---|---|
Hub | Username enumeration was possible through password recovery. (JPS-9655, JPS-9938) | Note | 2019.1.11738 | CVE-2019-18360 |
IntelliJ IDEA | Local user privilege escalation potentially allowed arbitrary code execution. (IDEA-216623) | Low | 2019.2 | CVE-2019-18361 |
JetBrains Account | Account removal without re-authentication was possible. (JPF-9611 reported by Siamul Islam) | Moderate | 2019.9 | CWE-306 |
JetBrains Account | Password reset link was not invalidated during password change through profile. (JPF-9610 reported by Elliot V. Daniel) | Moderate | 2019.8 | CWE-613 |
MPS | Ports listened to by MPS are exposed to the network. (MPS-30661) | Low | 2019.2.2 | CVE-2019-18362 |
TeamCity | Access could be gained to the history of builds of a deleted build configuration under some circumstances. (TW-60957) | Moderate | 2019.1.2 | CVE-2019-18363 |
TeamCity | Insecure Java Deserialization could potentially allow RCE. (TW-61928 reported by Aleksei “GreenDog” Tiurin) | Moderate | 2019.1.4 | CVE-2019-18364 |
TeamCity | Reverse tabnabbing was possible on several pages. (TW-61323, TW-61725, TW-61726, TW-61646, TW-62123) | Low | 2019.1.4 | CVE-2019-18365 |
TeamCity | Secure values could be exposed to users with the ‘View build runtime parameters and data’ permission. | Low | 2019.1.2 | CVE-2019-18366 |
TeamCity | A non-destructive operation could be performed by a user without the corresponding permissions. (TW-61107) | Low | 2019.1.2 | CVE-2019-18367 |
Toolbox App | Privilege escalation was possible in the JetBrains Toolbox App for Windows. (TBX-3759) | Low | 1.15.5666 | CVE-2019-18368 |
YouTrack | Sending of arbitrary spam email from a YouTrack instance was possible. (JT-54136, ADM-13823, ADM-34971) | Low | Not applicable | CWE-285 |
YouTrack | Removing tags from issues list without corresponding permission was possible. (JT-53465) | Low | 2019.2.55152 | CVE-2019-18369 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
security bulletin
SpringShell Vulnerability in JetBrains Products and Services Next post
Subscribe form
By submitting this form, I agree to the JetBrains Privacy Policy Notification icon
By submitting this form, I agree that JetBrains s.r.o. (“JetBrains”) may use my name, email address, and location data to send me newsletters, including commercial communications, and to process my personal data for this purpose. I agree that JetBrains may process said data using third-party services for this purpose in accordance with the JetBrains Privacy Policy. I understand that I can revoke this consent at any time in my profile. In addition, an unsubscribe link is included in each email.
Submit
Thanks, we’ve got you!
Vendor | Product | Version | CPE |
---|---|---|---|
jetbrains | hub | * | cpe:2.3:a:jetbrains:hub:*:*:*:*:*:*:*:* |
jetbrains | intellij_idea | * | cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* |
jetbrains | jetbrains_account | * | cpe:2.3:a:jetbrains:jetbrains_account:*:*:*:*:*:*:*:* |
jetbrains | mps | * | cpe:2.3:a:jetbrains:mps:*:*:*:*:*:*:*:* |
jetbrains | teamcity | * | cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:* |
jetbrains | toolbox | * | cpe:2.3:a:jetbrains:toolbox:*:*:*:*:*:*:*:* |
jetbrains | youtrack | * | cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
85.8%