JetBrains Creators of IntelliJ IDEA, ReSharper, PyCharm, TeamCity, Kotlin
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any JetBrains product.
Products by JetBrains Sorted by Most Security Vulnerabilities since 2018
Known Exploited JetBrains Vulnerabilities
The following JetBrains vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
JetBrains TeamCity Authentication Bypass Vulnerability |
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions. CVE-2024-27198 Exploit Probability: 97.0% |
March 7, 2024 |
JetBrains TeamCity Authentication Bypass Vulnerability |
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server. CVE-2023-42793 Exploit Probability: 97.5% |
October 4, 2023 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 0 vulnerabilities in JetBrains. Last year, in 2024 JetBrains had 93 security vulnerabilities published. Right now, JetBrains is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 93 | 6.07 |
2023 | 53 | 6.56 |
2022 | 73 | 6.45 |
2021 | 88 | 6.66 |
2020 | 57 | 6.52 |
2019 | 57 | 7.08 |
2018 | 1 | 7.80 |
It may take a day or so for new JetBrains vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Security Vulnerabilities
JetBrains TeamCity Improper Access Control Vulnerability in Agent Details
CVE-2024-56348
4.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
AuthZ
JetBrains TeamCity Improper Access Control Vulnerability in Build Logs
CVE-2024-56349
5.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs
AuthZ
JetBrains TeamCity Unauthorized Project Viewing Vulnerability
CVE-2024-56350
4.3 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
AuthZ
JetBrains TeamCity Access Token Revocation Failure
CVE-2024-56351
8.8 - High
- December 20, 2024
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
Insufficient Session Expiration
JetBrains TeamCity Stored XSS Vulnerability in Agent Details Page
CVE-2024-56352
5.4 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page
XSS
JetBrains TeamCity Backup File Exposure Vulnerability
CVE-2024-56353
6.5 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies
Improper Removal of Sensitive Information Before Storage or Transfer
JetBrains TeamCity Password Field Access Vulnerability
CVE-2024-56354
4.9 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission
Insufficiently Protected Credentials
JetBrains TeamCity RemoteBuildLogController XSS Vulnerability
CVE-2024-56355
5.4 - Medium
- December 20, 2024
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS
XSS
JetBrains TeamCity XMLParser XXE Vulnerability
CVE-2024-56356
7.1 - High
- December 20, 2024
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack
XXE
JetBrains YouTrack Punycode Encoding Spoofing Vulnerability
CVE-2024-54158
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
Improper Handling of Alternate Encoding
JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability
CVE-2024-54157
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
ReDoS
JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability
CVE-2024-54156
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
Prototype Pollution
JetBrains YouTrack Improper Access Control Vulnerability in Project Listing
CVE-2024-54155
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
AuthZ
JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox
CVE-2024-54154
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
Relative Path Traversal
JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability
CVE-2024-54153
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
AuthZ
JetBrains WebStorm Untrusted Project Mode Code Execution Vulnerability
CVE-2024-52555
- November 15, 2024
In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script
Acceptance of Extraneous Untrusted Data With Trusted Data
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
CVE-2024-50582
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
XSS
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack
CVE-2024-50581
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
XSS
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
CVE-2024-50580
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
XSS
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
CVE-2024-50579
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50578
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50577
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50576
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
XSS
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
CVE-2024-50575
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
XSS
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible
CVE-2024-50574
7.5 - High
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
ReDoS
In JetBrains Hub before 2024.3.47707 improper access control
CVE-2024-50573
5.4 - Medium
- October 28, 2024
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
AuthZ
In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure
CVE-2024-49580
5.3 - Medium
- October 17, 2024
In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure
Use of Cache Containing Sensitive Information
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe
CVE-2024-49579
6.1 - Medium
- October 17, 2024
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
Improper Verification of Source of a Communication Channel
In JetBrains YouTrack before 2024.3.46677 improper access control
CVE-2024-48902
5.4 - Medium
- October 10, 2024
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
AuthZ
In JetBrains TeamCity before 2024.07.3 password could be exposed
CVE-2024-47161
6.5 - Medium
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
Insufficiently Protected Credentials
In JetBrains TeamCity before 2024.07.3 stored XSS was possible
CVE-2024-47951
5.4 - Medium
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings
XSS
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings
CVE-2024-47950
5.4 - Medium
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings
XSS
In JetBrains TeamCity before 2024.07.3 path traversal
CVE-2024-47949
7.5 - High
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location
Directory traversal
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible
CVE-2024-47948
7.5 - High
- October 08, 2024
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
Directory traversal
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
CVE-2024-47162
5.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
Insufficiently Protected Credentials
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
CVE-2024-47160
5.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
AuthZ
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
CVE-2024-47159
4.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
AuthZ
In JetBrains IntelliJ IDEA before 2024.1 hTML injection
CVE-2024-46970
6.1 - Medium
- September 16, 2024
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible
XSS
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin
CVE-2024-43810
5.4 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin
XSS
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
CVE-2024-43809
6.1 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
XSS
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin
CVE-2024-43808
5.4 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin
XSS
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
CVE-2024-43807
5.4 - Medium
- August 16, 2024
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
XSS
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions
CVE-2024-43114
7.8 - High
- August 06, 2024
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions
Incorrect Default Permissions
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time
CVE-2024-41828
6.5 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
CVE-2024-41827
9.8 - Critical
- July 22, 2024
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
Insufficient Session Expiration
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
CVE-2024-41826
4.8 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
XSS
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
CVE-2024-41825
5.4 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
XSS
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases
CVE-2024-41824
6.5 - Medium
- July 22, 2024
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases
Insertion of Sensitive Information into Log File
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen
CVE-2024-41829
7.5 - High
- July 22, 2024
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
authentification
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
CVE-2024-39879
5.3 - Medium
- July 01, 2024
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
Insufficiently Protected Credentials
In JetBrains TeamCity before 2024.03.3 private key could be exposed
CVE-2024-39878
5.3 - Medium
- July 01, 2024
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection
Insufficiently Protected Credentials
In JetBrains Hub before 2024.2.34646 stored XSS
CVE-2024-38507
5.4 - Medium
- June 18, 2024
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
XSS
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
CVE-2024-38506
8.1 - High
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
AuthZ
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
CVE-2024-38505
7.5 - High
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
Insufficiently Protected Credentials
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
CVE-2024-38504
5.3 - Medium
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
AuthZ
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7
CVE-2024-37051
7.5 - High
- June 10, 2024
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
Insufficiently Protected Credentials
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS
CVE-2024-36369
5.4 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible
XSS
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal
CVE-2024-36362
6.5 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 path traversal allowing to read files from server was possible
Directory traversal
In JetBrains TeamCity before 2022.04.7
CVE-2024-36363
5.4 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible
XSS
In JetBrains TeamCity before 2022.04.7
CVE-2024-36364
6.5 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible
AuthZ
In JetBrains TeamCity before 2022.04.7
CVE-2024-36365
8.1 - High
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent
AuthZ
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed
CVE-2024-36366
6.1 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations
XSS
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS
CVE-2024-36367
6.1 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible
XSS
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS
CVE-2024-36368
5.4 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible
XSS
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS
CVE-2024-36370
5.4 - Medium
- May 29, 2024
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible
XSS
In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible
CVE-2024-35300
6.1 - Medium
- May 16, 2024
In JetBrains TeamCity between 2024.03 and 2024.03.1 several stored XSS in the available updates page were possible
XSS
In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token
CVE-2024-35301
5.5 - Medium
- May 16, 2024
In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token
In JetBrains TeamCity before 2023.11 stored XSS during restore
CVE-2024-35302
6.1 - Medium
- May 16, 2024
In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible
XSS
In JetBrains TeamCity before 2024.03 xSS was possible
CVE-2024-31138
5.4 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings
XSS
In JetBrains TeamCity before 2024.03 reflected XSS was possible
CVE-2024-31137
6.1 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration
XSS
In JetBrains TeamCity before 2024.03 open redirect was possible on the login page
CVE-2024-31135
6.1 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 open redirect was possible on the login page
Open Redirect
In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled
CVE-2024-31134
6.5 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled
AuthZ
In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter
CVE-2024-31136
7.4 - High
- March 28, 2024
In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter
In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector
CVE-2024-31139
8.1 - High
- March 28, 2024
In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector
XXE
In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files
CVE-2024-31140
4.9 - Medium
- March 28, 2024
In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools
In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process
CVE-2024-29880
7.8 - High
- March 21, 2024
In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
CVE-2024-28228
5.3 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
Authentication Bypass by Spoofing
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
CVE-2024-28229
6.5 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
AuthZ
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
CVE-2024-28230
6.5 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
AuthZ
In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed
CVE-2024-28173
4.3 - Medium
- March 06, 2024
In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed
In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly
CVE-2024-28174
5.8 - Medium
- March 06, 2024
In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly
AuthZ
In JetBrains TeamCity before 2023.11.4 path traversal
CVE-2024-27199
7.3 - High
- March 04, 2024
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
Directory traversal
In JetBrains TeamCity before 2023.11.4 authentication bypass
CVE-2024-27198
9.8 - Critical
- March 04, 2024
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
CVE-2024-23917
9.8 - Critical
- February 06, 2024
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
Missing Authentication for Critical Function
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed
CVE-2024-24936
5.3 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed
In JetBrains TeamCity before 2023.11.2 stored XSS
CVE-2024-24937
5.4 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.2 stored XSS via agent distribution was possible
XSS
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
CVE-2024-24938
5.3 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
Directory traversal
In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible
CVE-2024-24939
5.3 - Medium
- February 06, 2024
In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible
Insertion of Sensitive Information into Log File
In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL
CVE-2024-24941
5.3 - Medium
- February 06, 2024
In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL
Improper Input Validation
In JetBrains TeamCity before 2023.11.3 path traversal
CVE-2024-24942
5.3 - Medium
- February 06, 2024
In JetBrains TeamCity before 2023.11.3 path traversal allowed reading data within JAR archives
Directory traversal
In JetBrains Toolbox App before 2.2 a DoS attack was possible
CVE-2024-24943
5.5 - Medium
- February 06, 2024
In JetBrains Toolbox App before 2.2 a DoS attack was possible via a malicious SVG image
Resource Exhaustion
In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives
CVE-2024-24940
4.3 - Medium
- February 06, 2024
In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives
Directory traversal
In JetBrains YouTrack before 2023.3.22666 stored XSS
CVE-2024-22370
5.4 - Medium
- January 09, 2024
In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible
XSS
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode
CVE-2023-51655
9.8 - Critical
- December 21, 2023
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration
Insufficient Verification of Data Authenticity
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
CVE-2023-50871
4.3 - Medium
- December 15, 2023
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible
CVE-2023-50870
8.8 - High
- December 15, 2023
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible
Session Riding
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
CVE-2023-45612
9.8 - Critical
- October 09, 2023
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
XXE
In JetBrains Ktor before 2.3.5 server certificates were not verified
CVE-2023-45613
9.1 - Critical
- October 09, 2023
In JetBrains Ktor before 2.3.5 server certificates were not verified
Improper Certificate Validation
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration
CVE-2023-43566
5.4 - Medium
- September 19, 2023
In JetBrains TeamCity before 2023.05.4 stored XSS was possible during nodes configuration
XSS
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
CVE-2023-42793
9.8 - Critical
- September 19, 2023
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Missing Authentication for Critical Function