JetBrains JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any JetBrains product.

Products by JetBrains Sorted by Most Security Vulnerabilities since 2018

JetBrains Teamcity195 vulnerabilities

JetBrains Youtrack88 vulnerabilities

JetBrains Intellij Idea48 vulnerabilities

JetBrains Hub27 vulnerabilities

JetBrains Ktor20 vulnerabilities

JetBrains Toolbox6 vulnerabilities

JetBrains Pycharm6 vulnerabilities

JetBrains Webstorm5 vulnerabilities

JetBrains Rider5 vulnerabilities

JetBrains Phpstorm4 vulnerabilities

JetBrains Goland3 vulnerabilities

JetBrains Rubymine3 vulnerabilities

JetBrains Clion2 vulnerabilities

JetBrains Mps2 vulnerabilities

JetBrains Rustrover1 vulnerability

JetBrains Dataspell1 vulnerability

JetBrains Datagrip1 vulnerability

JetBrains Aqua1 vulnerability

Known Exploited JetBrains Vulnerabilities

The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
CVE-2024-27198 Exploit Probability: 97.0%
March 7, 2024
JetBrains TeamCity Authentication Bypass Vulnerability JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
CVE-2023-42793 Exploit Probability: 97.5%
October 4, 2023

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 0 vulnerabilities in JetBrains. Last year, in 2024 JetBrains had 93 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 93 6.07
2023 53 6.56
2022 73 6.45
2021 88 6.66
2020 57 6.52
2019 57 7.08
2018 1 7.80

It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Security Vulnerabilities

JetBrains TeamCity Improper Access Control Vulnerability in Agent Details

CVE-2024-56348 4.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents

AuthZ

JetBrains TeamCity Improper Access Control Vulnerability in Build Logs

CVE-2024-56349 5.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs

AuthZ

JetBrains TeamCity Unauthorized Project Viewing Vulnerability

CVE-2024-56350 4.3 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects

AuthZ

JetBrains TeamCity Access Token Revocation Failure

CVE-2024-56351 8.8 - High - December 20, 2024

In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles

Insufficient Session Expiration

JetBrains TeamCity Stored XSS Vulnerability in Agent Details Page

CVE-2024-56352 5.4 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page

XSS

JetBrains TeamCity Backup File Exposure Vulnerability

CVE-2024-56353 6.5 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies

Improper Removal of Sensitive Information Before Storage or Transfer

JetBrains TeamCity Password Field Access Vulnerability

CVE-2024-56354 4.9 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission

Insufficiently Protected Credentials

JetBrains TeamCity RemoteBuildLogController XSS Vulnerability

CVE-2024-56355 5.4 - Medium - December 20, 2024

In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS

XSS

JetBrains TeamCity XMLParser XXE Vulnerability

CVE-2024-56356 7.1 - High - December 20, 2024

In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack

XXE

JetBrains YouTrack Punycode Encoding Spoofing Vulnerability

CVE-2024-54158 - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding

Improper Handling of Alternate Encoding

JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability

CVE-2024-54157 - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector

ReDoS

JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability

CVE-2024-54156 - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack

Prototype Pollution

JetBrains YouTrack Improper Access Control Vulnerability in Project Listing

CVE-2024-54155 - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication

AuthZ

JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox

CVE-2024-54154 - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox

Relative Path Traversal

JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability

CVE-2024-54153 - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter

AuthZ

JetBrains WebStorm Untrusted Project Mode Code Execution Vulnerability

CVE-2024-52555 - November 15, 2024

In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script

Acceptance of Extraneous Untrusted Data With Trusted Data

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

CVE-2024-50582 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

XSS

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack

CVE-2024-50581 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag

XSS

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

CVE-2024-50580 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

XSS

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

CVE-2024-50579 6.1 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50578 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50577 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50576 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest

XSS

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

CVE-2024-50575 6.1 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

XSS

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible

CVE-2024-50574 7.5 - High - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality

ReDoS

In JetBrains Hub before 2024.3.47707 improper access control

CVE-2024-50573 5.4 - Medium - October 28, 2024

In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services

AuthZ

In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure

CVE-2024-49580 5.3 - Medium - October 17, 2024

In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure

Use of Cache Containing Sensitive Information

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe

CVE-2024-49579 6.1 - Medium - October 17, 2024

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests

Improper Verification of Source of a Communication Channel

In JetBrains YouTrack before 2024.3.46677 improper access control

CVE-2024-48902 5.4 - Medium - October 10, 2024

In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API

AuthZ

In JetBrains TeamCity before 2024.07.3 password could be exposed

CVE-2024-47161 6.5 - Medium - October 08, 2024

In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API

Insufficiently Protected Credentials

In JetBrains TeamCity before 2024.07.3 stored XSS was possible

CVE-2024-47951 5.4 - Medium - October 08, 2024

In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings

XSS

In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings

CVE-2024-47950 5.4 - Medium - October 08, 2024

In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings

XSS

In JetBrains TeamCity before 2024.07.3 path traversal

CVE-2024-47949 7.5 - High - October 08, 2024

In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location

Directory traversal

In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible

CVE-2024-47948 7.5 - High - October 08, 2024

In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups

Directory traversal

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page

CVE-2024-47162 5.3 - Medium - September 19, 2024

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page

Insufficiently Protected Credentials

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible

CVE-2024-47160 5.3 - Medium - September 19, 2024

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible

AuthZ

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project

CVE-2024-47159 4.3 - Medium - September 19, 2024

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project

AuthZ

In JetBrains IntelliJ IDEA before 2024.1 hTML injection

CVE-2024-46970 6.1 - Medium - September 16, 2024

In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible

XSS

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin

CVE-2024-43810 5.4 - Medium - August 16, 2024

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin

XSS

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page

CVE-2024-43809 6.1 - Medium - August 16, 2024

In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page

XSS

In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin

CVE-2024-43808 5.4 - Medium - August 16, 2024

In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin

XSS

In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page

CVE-2024-43807 5.4 - Medium - August 16, 2024

In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page

XSS

In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions

CVE-2024-43114 7.8 - High - August 06, 2024

In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions

Incorrect Default Permissions

In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time

CVE-2024-41828 6.5 - Medium - July 22, 2024

In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration

CVE-2024-41827 9.8 - Critical - July 22, 2024

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration

Insufficient Session Expiration

In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page

CVE-2024-41826 4.8 - Medium - July 22, 2024

In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page

XSS

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab

CVE-2024-41825 5.4 - Medium - July 22, 2024

In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab

XSS

In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases

CVE-2024-41824 6.5 - Medium - July 22, 2024

In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases

Insertion of Sensitive Information into Log File

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen

CVE-2024-41829 7.5 - High - July 22, 2024

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection

authentification

In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings

CVE-2024-39879 5.3 - Medium - July 01, 2024

In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings

Insufficiently Protected Credentials

In JetBrains TeamCity before 2024.03.3 private key could be exposed

CVE-2024-39878 5.3 - Medium - July 01, 2024

In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection

Insufficiently Protected Credentials

In JetBrains Hub before 2024.2.34646 stored XSS

CVE-2024-38507 5.4 - Medium - June 18, 2024

In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible

XSS

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows

CVE-2024-38506 8.1 - High - June 18, 2024

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows

AuthZ

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site

CVE-2024-38505 7.5 - High - June 18, 2024

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site

Insufficiently Protected Credentials

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles

CVE-2024-38504 5.3 - Medium - June 18, 2024

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles

AuthZ

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7

CVE-2024-37051 7.5 - High - June 10, 2024

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Insufficiently Protected Credentials

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS

CVE-2024-36369 5.4 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible

XSS

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal

CVE-2024-36362 6.5 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible

Directory traversal

In JetBrains TeamCity before 2022.04.7

CVE-2024-36363 5.4 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible

XSS

In JetBrains TeamCity before 2022.04.7

CVE-2024-36364 6.5 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible

AuthZ

In JetBrains TeamCity before 2022.04.7

CVE-2024-36365 8.1 - High - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent

AuthZ

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed

CVE-2024-36366 6.1 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations

XSS

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS

CVE-2024-36367 6.1 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible

XSS

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS

CVE-2024-36368 5.4 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible

XSS

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS

CVE-2024-36370 5.4 - Medium - May 29, 2024

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible

XSS

In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible

CVE-2024-35300 6.1 - Medium - May 16, 2024

In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible

XSS

In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token

CVE-2024-35301 5.5 - Medium - May 16, 2024

In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token

In JetBrains TeamCity before 2023.11 stored XSS during restore

CVE-2024-35302 6.1 - Medium - May 16, 2024

In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible

XSS

In JetBrains TeamCity before 2024.03 xSS was possible

CVE-2024-31138 5.4 - Medium - March 28, 2024

In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings

XSS

In JetBrains TeamCity before 2024.03 reflected XSS was possible

CVE-2024-31137 6.1 - Medium - March 28, 2024

In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration

XSS

In JetBrains TeamCity before 2024.03 open redirect was possible on the login page

CVE-2024-31135 6.1 - Medium - March 28, 2024

In JetBrains TeamCity before 2024.03 open redirect was possible on the login page

Open Redirect

In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled

CVE-2024-31134 6.5 - Medium - March 28, 2024

In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled

AuthZ

In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter

CVE-2024-31136 7.4 - High - March 28, 2024

In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector

CVE-2024-31139 8.1 - High - March 28, 2024

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector

XXE

In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files

CVE-2024-31140 4.9 - Medium - March 28, 2024

In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools

In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process

CVE-2024-29880 7.8 - High - March 21, 2024

In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

CVE-2024-28228 5.3 - Medium - March 07, 2024

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

Authentication Bypass by Spoofing

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

CVE-2024-28229 6.5 - Medium - March 07, 2024

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

AuthZ

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

CVE-2024-28230 6.5 - Medium - March 07, 2024

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

AuthZ

In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed

CVE-2024-28173 4.3 - Medium - March 06, 2024

In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed

In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly

CVE-2024-28174 5.8 - Medium - March 06, 2024

In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly

AuthZ

In JetBrains TeamCity before 2023.11.4 path traversal

CVE-2024-27199 7.3 - High - March 04, 2024

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Directory traversal

In JetBrains TeamCity before 2023.11.4 authentication bypass

CVE-2024-27198 9.8 - Critical - March 04, 2024

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

CVE-2024-23917 9.8 - Critical - February 06, 2024

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

Missing Authentication for Critical Function

In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed

CVE-2024-24936 5.3 - Medium - February 06, 2024

In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed

In JetBrains TeamCity before 2023.11.2 stored XSS

CVE-2024-24937 5.4 - Medium - February 06, 2024

In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible

XSS

In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation

CVE-2024-24938 5.3 - Medium - February 06, 2024

In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation

Directory traversal

In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible

CVE-2024-24939 5.3 - Medium - February 06, 2024

In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible

Insertion of Sensitive Information into Log File

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL

CVE-2024-24941 5.3 - Medium - February 06, 2024

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL

Improper Input Validation

In JetBrains TeamCity before 2023.11.3 path traversal

CVE-2024-24942 5.3 - Medium - February 06, 2024

In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives

Directory traversal

In JetBrains Toolbox App before 2.2 a DoS attack was possible

CVE-2024-24943 5.5 - Medium - February 06, 2024

In JetBrains Toolbox App before 2.2 a DoS attack was possible via a malicious SVG image

Resource Exhaustion

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives

CVE-2024-24940 4.3 - Medium - February 06, 2024

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives

Directory traversal

In JetBrains YouTrack before 2023.3.22666 stored XSS

CVE-2024-22370 5.4 - Medium - January 09, 2024

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible

XSS

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode

CVE-2023-51655 9.8 - Critical - December 21, 2023

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration

Insufficient Verification of Data Authenticity

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

CVE-2023-50871 4.3 - Medium - December 15, 2023

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible

CVE-2023-50870 8.8 - High - December 15, 2023

In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible

Session Riding

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE

CVE-2023-45612 9.8 - Critical - October 09, 2023

In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE

XXE

In JetBrains Ktor before 2.3.5 server certificates were not verified

CVE-2023-45613 9.1 - Critical - October 09, 2023

In JetBrains Ktor before 2.3.5 server certificates were not verified

Improper Certificate Validation

In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration

CVE-2023-43566 5.4 - Medium - September 19, 2023

In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration

XSS

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

CVE-2023-42793 9.8 - Critical - September 19, 2023

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

Missing Authentication for Critical Function

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.