JetBrains JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin

Do you want an email whenever new security vulnerabilities are reported in any JetBrains product?

Products by JetBrains Sorted by Most Security Vulnerabilities since 2018

JetBrains Teamcity107 vulnerabilities

JetBrains Youtrack57 vulnerabilities

JetBrains Intellij Idea37 vulnerabilities

JetBrains Hub23 vulnerabilities

JetBrains Ktor15 vulnerabilities

JetBrains Kotlin6 vulnerabilities

JetBrains Upsource5 vulnerabilities

JetBrains Toolbox5 vulnerabilities

JetBrains Pycharm5 vulnerabilities

JetBrains Code With Me3 vulnerabilities

JetBrains Webstorm3 vulnerabilities

JetBrains Space3 vulnerabilities

JetBrains Rider3 vulnerabilities

JetBrains Phpstorm2 vulnerabilities

JetBrains Rubymine2 vulnerabilities

JetBrains Goland2 vulnerabilities

JetBrains Resharper1 vulnerability

JetBrains Mps1 vulnerability

JetBrains Scala1 vulnerability

Jetbrains Gateway1 vulnerability

JetBrains Idetalk1 vulnerability

JetBrains Ideavim1 vulnerability

JetBrains Vim1 vulnerability

JetBrains Dotpeek1 vulnerability

JetBrains Clion1 vulnerability

@jetbrains Tweets

Code Like It's the 80s! Whether you're a seasoned developer who remembers the #80s like it was yesterday or a young… https://t.co/CF9yuatDEq
Wed Mar 22 13:07:32 +0000 2023

Have you tried remote development in JetBrains IDEs? It allows you to work with a project as if it’s hosted locally… https://t.co/ZW9vUTlG63
Wed Mar 22 10:58:46 +0000 2023

Apply to Google Summer of Code – Kotlin Projects Available! https://t.co/Kb7f9bfQJ4
Wed Mar 22 08:47:43 +0000 2023

By the Year

In 2023 there have been 3 vulnerabilities in JetBrains with an average score of 7.3 out of ten. Last year JetBrains had 73 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.89.

Year Vulnerabilities Average Score
2023 3 7.33
2022 73 6.45
2021 88 6.66
2020 57 6.52
2019 57 7.08
2018 1 7.80

It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Security Vulnerabilities

In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.

CVE-2022-48342 9.8 - Critical - February 23, 2023

In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.

Insecure Default Initialization of Resource

In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.

CVE-2022-48343 6.1 - Medium - February 23, 2023

In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.

XSS

In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.

CVE-2022-48344 6.1 - Medium - February 23, 2023

In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.

XSS

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.

CVE-2022-47896 7.8 - High - December 22, 2022

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.

Code Injection

In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.

CVE-2022-47895 7.5 - High - December 22, 2022

In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.

Cleartext Transmission of Sensitive Information

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.

CVE-2022-46825 3.3 - Low - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.

Inadequate Encryption Strength

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server

CVE-2022-46826 5.5 - Medium - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.

Directory traversal

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF

CVE-2022-46827 5.5 - Medium - December 08, 2022

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.

XXE

In JetBrains JetBrains Gateway before 2022.3 a client could connect without a valid token if the host consented.

CVE-2022-46829 8.8 - High - December 08, 2022

In JetBrains JetBrains Gateway before 2022.3 a client could connect without a valid token if the host consented.

authentification

In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint

CVE-2022-46830 5.3 - Medium - December 08, 2022

In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.

XSPA

In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain"

CVE-2022-46831 4.9 - Medium - December 08, 2022

In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators.

Insecure Default Initialization of Resource

In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address

CVE-2022-45471 7.5 - High - November 18, 2022

In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address

Allocation of Resources Without Limits or Throttling

In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive

CVE-2022-44622 5.3 - Medium - November 03, 2022

In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive

In JetBrains TeamCity version before 2022.10

CVE-2022-44623 7.5 - High - November 03, 2022

In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings

In JetBrains TeamCity version before 2022.10

CVE-2022-44624 7.5 - High - November 03, 2022

In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters

Insertion of Sensitive Information into Log File

In JetBrains TeamCity version before 2022.10

CVE-2022-44646 5.3 - Medium - November 03, 2022

In JetBrains TeamCity version before 2022.10, no audit items were added upon editing a user's settings

In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable

CVE-2022-40979 5.3 - Medium - September 23, 2022

In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable

Insertion of Sensitive Information into Log File

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking

CVE-2022-40978 7.8 - High - September 19, 2022

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking

DLL preloading

In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases

CVE-2022-38180 6.5 - Medium - August 12, 2022

In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases

authentification

JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack

CVE-2022-38179 6.1 - Medium - August 12, 2022

JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack

Incorrect Comparison

In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases

CVE-2022-38133 5.3 - Medium - August 10, 2022

In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases

Insertion of Sensitive Information into Log File

In JetBrains Rider before 2022.2 Trust and Open Project dialog could be bypassed

CVE-2022-37396 7.8 - High - August 03, 2022

In JetBrains Rider before 2022.2 Trust and Open Project dialog could be bypassed, leading to local code execution

In JetBrains IntelliJ IDEA before 2022.2 local code execution

CVE-2022-37009 7.8 - High - July 28, 2022

In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed

CVE-2022-37010 3.3 - Low - July 28, 2022

In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed

Improper Input Validation

In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases

CVE-2022-36321 6.5 - Medium - July 20, 2022

In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases

Insertion of Sensitive Information into Log File

In JetBrains TeamCity before 2022.04.2 build parameter injection was possible

CVE-2022-36322 8.8 - High - July 20, 2022

In JetBrains TeamCity before 2022.04.2 build parameter injection was possible

Argument Injection

In JetBrains Hub before 2022.2.14799, insufficient access control

CVE-2022-34894 5.3 - Medium - July 01, 2022

In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services

In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible

CVE-2022-29927 6.1 - Medium - May 12, 2022

In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible

XSS

In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible

CVE-2022-29928 4.9 - Medium - May 12, 2022

In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible

Insertion of Sensitive Information into Log File

In JetBrains TeamCity before 2022.04 potential XSS

CVE-2022-29929 6.1 - Medium - May 12, 2022

In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible

XSS

SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value

CVE-2022-29930 4.9 - Medium - May 12, 2022

SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value. The issue was fixed in Ktor version 2.0.1.

Use of Insufficiently Random Values

In JetBrains Hub before 2022.1.14638 stored XSS

CVE-2022-29811 4.8 - Medium - April 28, 2022

In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.

XSS

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient

CVE-2022-29812 2.3 - Low - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient

In JetBrains IntelliJ IDEA before 2022.1 local code execution

CVE-2022-29813 6.7 - Medium - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 local code execution

CVE-2022-29814 7.7 - High - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 local code execution

CVE-2022-29815 6.7 - Medium - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible

Code Injection

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible

CVE-2022-29816 3.3 - Low - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible

Injection

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS

CVE-2022-29817 6.1 - Medium - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible

XSS

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible

CVE-2022-29820 3.5 - Low - April 28, 2022

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible

Exposure of Resource to Wrong Sphere

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed

CVE-2022-29818 7.1 - High - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed

Origin Validation Error

In JetBrains IntelliJ IDEA before 2022.1 local code execution

CVE-2022-29819 7.7 - High - April 28, 2022

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible

Code Injection

In JetBrains Rider before 2022.1 local code execution

CVE-2022-29821 7.7 - High - April 28, 2022

In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible

Code Injection

In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations

CVE-2022-29035 2.7 - Low - April 11, 2022

In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations

Use of Insufficiently Random Values

In JetBrains YouTrack before 2022.1.43563 HTML code

CVE-2022-28648 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered

XSS

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe

CVE-2022-28649 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description

Clickjacking

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords

CVE-2022-28651 5.5 - Medium - April 05, 2022

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields

Insufficiently Protected Credentials

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

CVE-2022-28650 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

XSS

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).

CVE-2022-25260 9.1 - Critical - February 25, 2022

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).

XSPA

JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.

CVE-2022-25261 6.1 - Medium - February 25, 2022

JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.

XSS

In JetBrains Hub before 2022.1.14434

CVE-2022-25262 9.8 - Critical - February 25, 2022

In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.

authentification

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.

CVE-2022-25263 9.8 - Critical - February 25, 2022

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.

Shell injection

In JetBrains TeamCity before 2021.2.3

CVE-2022-25264 7.5 - High - February 25, 2022

In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.

Insecure Storage of Sensitive Information

JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.

CVE-2022-25259 6.1 - Medium - February 25, 2022

JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.

XSS

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection)

CVE-2022-24442 9.8 - Critical - February 25, 2022

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

Injection

In JetBrains TeamCity before 2021.2.1

CVE-2022-24341 7.5 - High - February 25, 2022

In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.

Insufficient Session Expiration

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS

CVE-2022-24347 5.4 - Medium - February 25, 2022

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

XSS

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

CVE-2022-24344 5.4 - Medium - February 25, 2022

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

XSS

In JetBrains YouTrack before 2021.4.31698

CVE-2022-24343 4.3 - Medium - February 25, 2022

In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.

Incorrect Default Permissions

In JetBrains TeamCity before 2021.2.1

CVE-2022-24342 8.8 - High - February 25, 2022

In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.

Session Riding

In JetBrains TeamCity before 2021.2.1

CVE-2022-24340 9.8 - Critical - February 25, 2022

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.

XXE

JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.

CVE-2022-24339 5.4 - Medium - February 25, 2022

JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.

XSS

JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.

CVE-2022-24338 6.1 - Medium - February 25, 2022

JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.

XSS

In JetBrains TeamCity before 2021.2

CVE-2022-24337 6.5 - Medium - February 25, 2022

In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions.

Incorrect Default Permissions

In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds

CVE-2022-24336 5.3 - Medium - February 25, 2022

In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.

Exposure of Resource to Wrong Sphere

In JetBrains TeamCity before 2021.2.1, the Agent Push feature

CVE-2022-24334 5.3 - Medium - February 25, 2022

In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server.

JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration

CVE-2022-24335 8.1 - High - February 25, 2022

JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC.

TOCTTOU

JetBrains IntelliJ IDEA 2021.3.1 Preview

CVE-2021-45977 9.8 - Critical - February 25, 2022

JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.

In JetBrains Kotlin before 1.6.0

CVE-2022-24329 5.3 - Medium - February 25, 2022

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Improper Locking

In JetBrains TeamCity before 2021.1.4

CVE-2022-24331 9.8 - Critical - February 25, 2022

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.

authentification

In JetBrains TeamCity before 2021.2

CVE-2022-24332 5.3 - Medium - February 25, 2022

In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.

Insufficient Session Expiration

In JetBrains TeamCity before 2021.2, blind SSRF

CVE-2022-24333 6.5 - Medium - February 25, 2022

In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible.

XSPA

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission

CVE-2022-24345 7.8 - High - February 25, 2022

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution

CVE-2022-24346 7.8 - High - February 25, 2022

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.

In JetBrains Hub before 2021.1.13890

CVE-2022-24327 7.5 - High - February 25, 2022

In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.

Incorrect Permission Assignment for Critical Resource

In JetBrains Hub before 2021.1.13956

CVE-2022-24328 6.5 - Medium - February 25, 2022

In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.

In JetBrains TeamCity before 2021.2.1

CVE-2022-24330 6.1 - Medium - February 25, 2022

In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible.

Open Redirect

In JetBrains TeamCity before 2021.1.3

CVE-2021-43202 9.8 - Critical - November 30, 2021

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.

In JetBrains Hub before 2021.1.13690, information disclosure

CVE-2021-43180 7.5 - High - November 09, 2021

In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.

In JetBrains Hub before 2021.1.13690

CVE-2021-43181 6.1 - Medium - November 09, 2021

In JetBrains Hub before 2021.1.13690, stored XSS is possible.

XSS

In JetBrains Hub before 2021.1.13415, a DoS

CVE-2021-43182 7.5 - High - November 09, 2021

In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.

In JetBrains Hub before 2021.1.13690

CVE-2021-43183 9.8 - Critical - November 09, 2021

In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.

In JetBrains YouTrack before 2021.3.21051

CVE-2021-43184 5.4 - Medium - November 09, 2021

In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.

XSS

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

CVE-2021-43185 9.8 - Critical - November 09, 2021

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

Injection

In JetBrains TeamCity before 2021.1.2, remote code execution

CVE-2021-43193 9.8 - Critical - November 09, 2021

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.

In JetBrains TeamCity before 2021.1.2

CVE-2021-43194 5.3 - Medium - November 09, 2021

In JetBrains TeamCity before 2021.1.2, user enumeration was possible.

In JetBrains Ktor before 1.6.4

CVE-2021-43203 7.5 - High - November 09, 2021

In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.

authentification

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

CVE-2021-43186 5.4 - Medium - November 09, 2021

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

XSS

In JetBrains TeamCity before 2021.1.2

CVE-2021-43195 5.3 - Medium - November 09, 2021

In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.

In JetBrains TeamCity before 2021.1, information disclosure

CVE-2021-43196 7.5 - High - November 09, 2021

In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.

In JetBrains TeamCity before 2021.1.2

CVE-2021-43197 6.1 - Medium - November 09, 2021

In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.

XSS

In JetBrains TeamCity before 2021.1.2

CVE-2021-43198 5.4 - Medium - November 09, 2021

In JetBrains TeamCity before 2021.1.2, stored XSS is possible.

XSS

In JetBrains TeamCity before 2021.1.2

CVE-2021-43199 5.3 - Medium - November 09, 2021

In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.

Incorrect Default Permissions

In JetBrains TeamCity before 2021.1.2

CVE-2021-43200 9.8 - Critical - November 09, 2021

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.

In JetBrains TeamCity before 2021.1.3, a newly created project could take settings

CVE-2021-43201 5.3 - Medium - November 09, 2021

In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.

In JetBrains Hub before 2021.1.13389

CVE-2021-36209 9.8 - Critical - August 06, 2021

In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.

Weak Password Recovery Mechanism for Forgotten Password

In JetBrains Hub before 2021.1.13262

CVE-2021-37540 6.5 - Medium - August 06, 2021

In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.

Inadequate Encryption Strength

In JetBrains Hub before 2021.1.13402

CVE-2021-37541 6.1 - Medium - August 06, 2021

In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.

Injection

In JetBrains TeamCity before 2020.2.3

CVE-2021-37542 6.1 - Medium - August 06, 2021

In JetBrains TeamCity before 2020.2.3, XSS was possible.

XSS

In JetBrains TeamCity before 2021.1

CVE-2021-37548 7.5 - High - August 06, 2021

In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.

Cleartext Storage of Sensitive Information

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37550 7.5 - High - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.

Incorrect Comparison

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.