JetBrains Hub
By the Year
In 2023 there have been 2 vulnerabilities in JetBrains Hub with an average score of 7.6 out of ten. Last year Hub had 8 security vulnerabilities published. Right now, Hub is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.53.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 2 | 7.60 |
2022 | 8 | 7.08 |
2021 | 11 | 7.15 |
2020 | 1 | 7.50 |
2019 | 3 | 5.93 |
2018 | 0 | 0.00 |
It may take a day or so for new Hub vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Hub Security Vulnerabilities
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
CVE-2022-48477
9.8 - Critical
- April 24, 2023
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
XSPA
In JetBrains Hub before 2022.3.15573
CVE-2022-48429
5.4 - Medium
- March 27, 2023
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible
XSS
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
CVE-2022-45471
7.5 - High
- November 18, 2022
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
Allocation of Resources Without Limits or Throttling
In JetBrains Hub before 2022.2.14799, insufficient access control
CVE-2022-34894
5.3 - Medium
- July 01, 2022
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains Hub before 2022.1.14638 stored XSS
CVE-2022-29811
4.8 - Medium
- April 28, 2022
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
XSS
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
CVE-2022-25260
9.1 - Critical
- February 25, 2022
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
XSPA
In JetBrains Hub before 2022.1.14434
CVE-2022-25262
9.8 - Critical
- February 25, 2022
In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.
Insufficient Verification of Data Authenticity
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
CVE-2022-25259
6.1 - Medium
- February 25, 2022
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
XSS
In JetBrains Hub before 2021.1.13890
CVE-2022-24327
7.5 - High
- February 25, 2022
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
Incorrect Permission Assignment for Critical Resource
In JetBrains Hub before 2021.1.13956
CVE-2022-24328
6.5 - Medium
- February 25, 2022
In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.
In JetBrains Hub before 2021.1.13690
CVE-2021-43181
6.1 - Medium
- November 09, 2021
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
XSS
In JetBrains Hub before 2021.1.13690, information disclosure
CVE-2021-43180
7.5 - High
- November 09, 2021
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains Hub before 2021.1.13415, a DoS
CVE-2021-43182
7.5 - High
- November 09, 2021
In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.
In JetBrains Hub before 2021.1.13690
CVE-2021-43183
9.8 - Critical
- November 09, 2021
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
In JetBrains Hub before 2021.1.13389
CVE-2021-36209
9.8 - Critical
- August 06, 2021
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
Weak Password Recovery Mechanism for Forgotten Password
In JetBrains Hub before 2021.1.13262
CVE-2021-37540
6.5 - Medium
- August 06, 2021
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
In JetBrains Hub before 2021.1.13402
CVE-2021-37541
6.1 - Medium
- August 06, 2021
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
Injection
In JetBrains Hub before 2021.1.13079
CVE-2021-31901
7.5 - High
- May 11, 2021
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.
In JetBrains Hub before 2020.1.12669, information disclosure
CVE-2021-25760
5.3 - Medium
- February 03, 2021
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
Information Disclosure
In JetBrains Hub before 2020.1.12629, an authenticated user
CVE-2021-25759
6.5 - Medium
- February 03, 2021
In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.
In JetBrains Hub before 2020.1.12629
CVE-2021-25757
6.1 - Medium
- February 03, 2021
In JetBrains Hub before 2020.1.12629, an open redirect was possible.
Open Redirect
In JetBrains Hub before 2020.1.12099
CVE-2020-11691
7.5 - High
- April 22, 2020
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
Improper Input Validation
In JetBrains Hub versions earlier than 2019.1.11738
CVE-2019-18360
5.3 - Medium
- October 31, 2019
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
Information Disclosure
In JetBrains Hub versions earlier than 2018.4.11436
CVE-2019-14955
5.3 - Medium
- October 01, 2019
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
Weak Password Recovery Mechanism for Forgotten Password
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user
CVE-2019-12847
7.2 - High
- July 03, 2019
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
Insufficiently Protected Credentials
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Hub or by JetBrains? Click the Watch button to subscribe.
