JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin
Products by JetBrains Sorted by Most Security Vulnerabilities since 2018
@jetbrains Tweets

Wed Mar 22 13:07:32 +0000 2023

Wed Mar 22 10:58:46 +0000 2023

Wed Mar 22 08:47:43 +0000 2023
By the Year
In 2023 there have been 3 vulnerabilities in JetBrains with an average score of 7.3 out of ten. Last year JetBrains had 73 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.89.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 3 | 7.33 |
2022 | 73 | 6.45 |
2021 | 88 | 6.66 |
2020 | 57 | 6.52 |
2019 | 57 | 7.08 |
2018 | 1 | 7.80 |
It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Security Vulnerabilities
In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.
CVE-2022-48342
9.8 - Critical
- February 23, 2023
In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents.
Insecure Default Initialization of Resource
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.
CVE-2022-48343
6.1 - Medium
- February 23, 2023
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the user creation process.
XSS
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.
CVE-2022-48344
6.1 - Medium
- February 23, 2023
In JetBrains TeamCity before 2022.10.2 there was an XSS vulnerability in the group creation process.
XSS
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.
CVE-2022-47896
7.8 - High
- December 22, 2022
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.
Code Injection
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
CVE-2022-47895
7.5 - High
- December 22, 2022
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
Cleartext Transmission of Sensitive Information
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.
CVE-2022-46825
3.3 - Low
- December 08, 2022
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.
Inadequate Encryption Strength
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server
CVE-2022-46826
5.5 - Medium
- December 08, 2022
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.
Directory traversal
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF
CVE-2022-46827
5.5 - Medium
- December 08, 2022
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.
XXE
In JetBrains JetBrains Gateway before 2022.3 a client could connect without a valid token if the host consented.
CVE-2022-46829
8.8 - High
- December 08, 2022
In JetBrains JetBrains Gateway before 2022.3 a client could connect without a valid token if the host consented.
authentification
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint
CVE-2022-46830
5.3 - Medium
- December 08, 2022
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.
XSPA
In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain"
CVE-2022-46831
4.9 - Medium
- December 08, 2022
In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators.
Insecure Default Initialization of Resource
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
CVE-2022-45471
7.5 - High
- November 18, 2022
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
Allocation of Resources Without Limits or Throttling
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive
CVE-2022-44622
5.3 - Medium
- November 03, 2022
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive
In JetBrains TeamCity version before 2022.10
CVE-2022-44623
7.5 - High
- November 03, 2022
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings
In JetBrains TeamCity version before 2022.10
CVE-2022-44624
7.5 - High
- November 03, 2022
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters
Insertion of Sensitive Information into Log File
In JetBrains TeamCity version before 2022.10
CVE-2022-44646
5.3 - Medium
- November 03, 2022
In JetBrains TeamCity version before 2022.10, no audit items were added upon editing a user's settings
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable
CVE-2022-40979
5.3 - Medium
- September 23, 2022
In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable
Insertion of Sensitive Information into Log File
The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking
CVE-2022-40978
7.8 - High
- September 19, 2022
The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking
DLL preloading
In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases
CVE-2022-38180
6.5 - Medium
- August 12, 2022
In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases
authentification
JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack
CVE-2022-38179
6.1 - Medium
- August 12, 2022
JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack
Incorrect Comparison
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases
CVE-2022-38133
5.3 - Medium
- August 10, 2022
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases
Insertion of Sensitive Information into Log File
In JetBrains Rider before 2022.2 Trust and Open Project dialog could be bypassed
CVE-2022-37396
7.8 - High
- August 03, 2022
In JetBrains Rider before 2022.2 Trust and Open Project dialog could be bypassed, leading to local code execution
In JetBrains IntelliJ IDEA before 2022.2 local code execution
CVE-2022-37009
7.8 - High
- July 28, 2022
In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible
Code Injection
In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed
CVE-2022-37010
3.3 - Low
- July 28, 2022
In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed
Improper Input Validation
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases
CVE-2022-36321
6.5 - Medium
- July 20, 2022
In JetBrains TeamCity before 2022.04.2 the private SSH key could be written to the build log in some cases
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible
CVE-2022-36322
8.8 - High
- July 20, 2022
In JetBrains TeamCity before 2022.04.2 build parameter injection was possible
Argument Injection
In JetBrains Hub before 2022.2.14799, insufficient access control
CVE-2022-34894
5.3 - Medium
- July 01, 2022
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible
CVE-2022-29927
6.1 - Medium
- May 12, 2022
In JetBrains TeamCity before 2022.04 reflected XSS on the Build Chain Status page was possible
XSS
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible
CVE-2022-29928
4.9 - Medium
- May 12, 2022
In JetBrains TeamCity before 2022.04 leak of secrets in TeamCity agent logs was possible
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2022.04 potential XSS
CVE-2022-29929
6.1 - Medium
- May 12, 2022
In JetBrains TeamCity before 2022.04 potential XSS via Referrer header was possible
XSS
SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value
CVE-2022-29930
4.9 - Medium
- May 12, 2022
SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value. The issue was fixed in Ktor version 2.0.1.
Use of Insufficiently Random Values
In JetBrains Hub before 2022.1.14638 stored XSS
CVE-2022-29811
4.8 - Medium
- April 28, 2022
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
XSS
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient
CVE-2022-29812
2.3 - Low
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient
In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29813
6.7 - Medium
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible
Code Injection
In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29814
7.7 - High
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible
Code Injection
In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29815
6.7 - Medium
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible
Code Injection
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
CVE-2022-29816
3.3 - Low
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible
Injection
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS
CVE-2022-29817
6.1 - Medium
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible
XSS
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible
CVE-2022-29820
3.5 - Low
- April 28, 2022
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible
Exposure of Resource to Wrong Sphere
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
CVE-2022-29818
7.1 - High
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
Origin Validation Error
In JetBrains IntelliJ IDEA before 2022.1 local code execution
CVE-2022-29819
7.7 - High
- April 28, 2022
In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible
Code Injection
In JetBrains Rider before 2022.1 local code execution
CVE-2022-29821
7.7 - High
- April 28, 2022
In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible
Code Injection
In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations
CVE-2022-29035
2.7 - Low
- April 11, 2022
In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations
Use of Insufficiently Random Values
In JetBrains YouTrack before 2022.1.43563 HTML code
CVE-2022-28648
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
XSS
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe
CVE-2022-28649
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
Clickjacking
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords
CVE-2022-28651
5.5 - Medium
- April 05, 2022
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields
Insufficiently Protected Credentials
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2022-28650
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
XSS
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
CVE-2022-25260
9.1 - Critical
- February 25, 2022
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
XSPA
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.
CVE-2022-25261
6.1 - Medium
- February 25, 2022
JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS.
XSS
In JetBrains Hub before 2022.1.14434
CVE-2022-25262
9.8 - Critical
- February 25, 2022
In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.
authentification
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
CVE-2022-25263
9.8 - Critical
- February 25, 2022
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
Shell injection
In JetBrains TeamCity before 2021.2.3
CVE-2022-25264
7.5 - High
- February 25, 2022
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
Insecure Storage of Sensitive Information
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
CVE-2022-25259
6.1 - Medium
- February 25, 2022
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
XSS
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection)
CVE-2022-24442
9.8 - Critical
- February 25, 2022
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
Injection
In JetBrains TeamCity before 2021.2.1
CVE-2022-24341
7.5 - High
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user.
Insufficient Session Expiration
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS
CVE-2022-24347
5.4 - Medium
- February 25, 2022
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
XSS
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
CVE-2022-24344
5.4 - Medium
- February 25, 2022
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
XSS
In JetBrains YouTrack before 2021.4.31698
CVE-2022-24343
4.3 - Medium
- February 25, 2022
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
Incorrect Default Permissions
In JetBrains TeamCity before 2021.2.1
CVE-2022-24342
8.8 - High
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.
Session Riding
In JetBrains TeamCity before 2021.2.1
CVE-2022-24340
9.8 - Critical
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible.
XXE
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.
CVE-2022-24339
5.4 - Medium
- February 25, 2022
JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS.
XSS
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.
CVE-2022-24338
6.1 - Medium
- February 25, 2022
JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS.
XSS
In JetBrains TeamCity before 2021.2
CVE-2022-24337
6.5 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions.
Incorrect Default Permissions
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds
CVE-2022-24336
5.3 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server.
Exposure of Resource to Wrong Sphere
In JetBrains TeamCity before 2021.2.1, the Agent Push feature
CVE-2022-24334
5.3 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server.
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration
CVE-2022-24335
8.1 - High
- February 25, 2022
JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC.
TOCTTOU
JetBrains IntelliJ IDEA 2021.3.1 Preview
CVE-2021-45977
9.8 - Critical
- February 25, 2022
JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.
In JetBrains Kotlin before 1.6.0
CVE-2022-24329
5.3 - Medium
- February 25, 2022
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Improper Locking
In JetBrains TeamCity before 2021.1.4
CVE-2022-24331
9.8 - Critical
- February 25, 2022
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible.
authentification
In JetBrains TeamCity before 2021.2
CVE-2022-24332
5.3 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie.
Insufficient Session Expiration
In JetBrains TeamCity before 2021.2, blind SSRF
CVE-2022-24333
6.5 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible.
XSPA
In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission
CVE-2022-24345
7.8 - High
- February 25, 2022
In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.
In JetBrains IntelliJ IDEA before 2021.3.1, local code execution
CVE-2022-24346
7.8 - High
- February 25, 2022
In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.
In JetBrains Hub before 2021.1.13890
CVE-2022-24327
7.5 - High
- February 25, 2022
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
Incorrect Permission Assignment for Critical Resource
In JetBrains Hub before 2021.1.13956
CVE-2022-24328
6.5 - Medium
- February 25, 2022
In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.
In JetBrains TeamCity before 2021.2.1
CVE-2022-24330
6.1 - Medium
- February 25, 2022
In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible.
Open Redirect
In JetBrains TeamCity before 2021.1.3
CVE-2021-43202
9.8 - Critical
- November 30, 2021
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases.
In JetBrains Hub before 2021.1.13690, information disclosure
CVE-2021-43180
7.5 - High
- November 09, 2021
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains Hub before 2021.1.13690
CVE-2021-43181
6.1 - Medium
- November 09, 2021
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
XSS
In JetBrains Hub before 2021.1.13415, a DoS
CVE-2021-43182
7.5 - High
- November 09, 2021
In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.
In JetBrains Hub before 2021.1.13690
CVE-2021-43183
9.8 - Critical
- November 09, 2021
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
In JetBrains YouTrack before 2021.3.21051
CVE-2021-43184
5.4 - Medium
- November 09, 2021
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
XSS
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
CVE-2021-43185
9.8 - Critical
- November 09, 2021
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
Injection
In JetBrains TeamCity before 2021.1.2, remote code execution
CVE-2021-43193
9.8 - Critical
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible.
In JetBrains TeamCity before 2021.1.2
CVE-2021-43194
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, user enumeration was possible.
In JetBrains Ktor before 1.6.4
CVE-2021-43203
7.5 - High
- November 09, 2021
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
authentification
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
CVE-2021-43186
5.4 - Medium
- November 09, 2021
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
XSS
In JetBrains TeamCity before 2021.1.2
CVE-2021-43195
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, some HTTP security headers were missing.
In JetBrains TeamCity before 2021.1, information disclosure
CVE-2021-43196
7.5 - High
- November 09, 2021
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains TeamCity before 2021.1.2
CVE-2021-43197
6.1 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, email notifications could include unescaped HTML for XSS.
XSS
In JetBrains TeamCity before 2021.1.2
CVE-2021-43198
5.4 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, stored XSS is possible.
XSS
In JetBrains TeamCity before 2021.1.2
CVE-2021-43199
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, permission checks in the Create Patch functionality are insufficient.
Incorrect Default Permissions
In JetBrains TeamCity before 2021.1.2
CVE-2021-43200
9.8 - Critical
- November 09, 2021
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient.
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings
CVE-2021-43201
5.3 - Medium
- November 09, 2021
In JetBrains TeamCity before 2021.1.3, a newly created project could take settings from an already deleted project.
In JetBrains Hub before 2021.1.13389
CVE-2021-36209
9.8 - Critical
- August 06, 2021
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
Weak Password Recovery Mechanism for Forgotten Password
In JetBrains Hub before 2021.1.13262
CVE-2021-37540
6.5 - Medium
- August 06, 2021
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
Inadequate Encryption Strength
In JetBrains Hub before 2021.1.13402
CVE-2021-37541
6.1 - Medium
- August 06, 2021
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
Injection
In JetBrains TeamCity before 2020.2.3
CVE-2021-37542
6.1 - Medium
- August 06, 2021
In JetBrains TeamCity before 2020.2.3, XSS was possible.
XSS
In JetBrains TeamCity before 2021.1
CVE-2021-37548
7.5 - High
- August 06, 2021
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
Cleartext Storage of Sensitive Information