CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Jetbrains : Security Vulnerabilities Published In 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-16407 426 2019-10-02 2019-10-09
4.4
None Local Medium Not required Partial Partial Partial
JetBrains ReSharper installers for versions before 2019.2 had a DLL Hijacking vulnerability.
2 CVE-2019-16171 79 XSS 2019-10-02 2019-10-03
4.3
None Remote Medium Not required None Partial None
In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.
3 CVE-2019-15848 79 XSS 2019-09-05 2019-09-18
4.3
None Remote Medium Not required None Partial None
JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user.
4 CVE-2019-15042 295 2019-10-01 2019-10-07
5.0
None Remote Low Not required None Partial None
An issue was discovered in JetBrains TeamCity 2018.2.4. It had no SSL certificate validation for some external https connections. This was fixed in TeamCity 2019.1.
5 CVE-2019-15041 601 2019-10-01 2019-10-08
5.8
None Remote Medium Not required Partial Partial None
JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere.
6 CVE-2019-15040 352 CSRF 2019-10-02 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
7 CVE-2019-15039 20 Exec Code 2019-10-01 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2018.2.5 and 2019.1.
8 CVE-2019-15038 20 2019-10-01 2019-10-08
5.0
None Remote Low Not required None Partial None
An issue was discovered in JetBrains TeamCity 2018.2.4. The TeamCity server was not using some security-related HTTP headers. The issue was fixed in TeamCity 2019.1.
9 CVE-2019-15037 79 XSS 2019-10-02 2019-10-03
4.3
None Remote Medium Not required None Partial None
An issue was discovered in JetBrains TeamCity 2018.2.4. It had several XSS vulnerabilities on the settings pages. The issues were fixed in TeamCity 2019.1.
10 CVE-2019-15036 78 Exec Code 2019-10-02 2019-10-03
9.0
None Remote Low Single system Complete Complete Complete
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could execute any command on the server machine. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
11 CVE-2019-15035 200 +Info 2019-10-01 2019-10-08
4.0
None Remote Low Single system Partial None None
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could get access to potentially confidential server-level data. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
12 CVE-2019-14960 426 2019-10-01 2019-10-08
4.6
None Local Low Not required Partial Partial Partial
JetBrains Rider before 2019.1.2 was using an unsigned JetBrains.Rider.Unity.Editor.Plugin.Repacked.dll file.
13 CVE-2019-14959 311 2019-10-02 2019-10-04
4.3
None Remote Medium Not required Partial None None
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection.
14 CVE-2019-14958 400 2019-10-02 2019-10-08
5.0
None Remote Low Not required None None Partial
JetBrains PyCharm before 2019.2 was allocating a buffer of unknown size for one of the connection processes. In a very specific situation, it could lead to a remote invocation of an OOM error message because of Uncontrolled Memory Allocation.
15 CVE-2019-14957 922 2019-10-01 2019-10-08
5.0
None Remote Low Not required Partial None None
The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
16 CVE-2019-14956 281 2019-10-02 2019-10-03
4.0
None Remote Low Single system Partial None None
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
17 CVE-2019-14955 640 2019-10-01 2019-10-08
5.0
None Remote Low Not required None Partial None
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
18 CVE-2019-14954 311 2019-10-01 2019-10-08
4.3
None Remote Medium Not required Partial None None
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
19 CVE-2019-14953 79 XSS 2019-10-01 2019-10-02
4.3
None Remote Medium Not required None Partial None
JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
20 CVE-2019-14952 79 XSS 2019-10-01 2019-10-02
4.3
None Remote Medium Not required None Partial None
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
21 CVE-2019-12867 264 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
22 CVE-2019-12866 285 Bypass 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
23 CVE-2019-12852 918 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
24 CVE-2019-12851 352 CSRF 2019-07-03 2019-07-10
6.8
None Remote Medium Not required Partial Partial Partial
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
25 CVE-2019-12850 89 Sql 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
26 CVE-2019-12847 255 2019-07-03 2019-07-09
4.0
None Remote Low Single system Partial None None
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
27 CVE-2019-12846 264 2019-07-03 2019-07-05
4.0
None Remote Low Single system None Partial None
A user without the required permissions could gain access to some JetBrains TeamCity settings. The issue was fixed in TeamCity 2018.2.2.
28 CVE-2019-12845 20 2019-07-03 2019-07-05
5.0
None Remote Low Not required None Partial None
The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts. The issue was fixed in JetBrains TeamCity 2018.2.3.
29 CVE-2019-12844 74 2019-07-03 2019-07-10
4.3
None Remote Medium Not required None Partial None
A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.
30 CVE-2019-12843 74 2019-07-03 2019-07-10
4.3
None Remote Medium Not required None Partial None
A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.
31 CVE-2019-12842 79 XSS 2019-07-03 2019-07-05
4.3
None Remote Medium Not required None Partial None
A reflected XSS on a user page was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.2.
32 CVE-2019-12841 20 2019-07-03 2019-07-09
5.0
None Remote Low Not required None Partial None
Incorrect handling of user input in ZIP extraction was detected in JetBrains TeamCity. The issue was fixed in TeamCity 2018.2.2.
33 CVE-2019-12737 916 2019-10-02 2019-10-08
5.0
None Remote Low Not required Partial None None
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
34 CVE-2019-12736 20 2019-10-02 2019-10-04
7.5
None Remote Low Not required Partial Partial Partial
JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command injection.
35 CVE-2019-12157 74 2019-10-02 2019-10-08
10.0
None Remote Low Not required Complete Complete Complete
In JetBrains TeamCity versions before 2018.2.5 and UpSource versions before 2018.2 build 1293, improper validation of user input for one of the fields could lead to Command Injection.
36 CVE-2019-12156 209 2019-10-02 2019-10-08
5.0
None Remote Low Not required Partial None None
Server metadata could be exposed because one of the error messages reflected the whole response back to the client in JetBrains TeamCity versions before 2018.2.5 and UpSource versions before 2018.2 build 1293.
37 CVE-2019-10104 284 Exec Code 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.
38 CVE-2019-10103 20 2019-07-03 2019-07-12
6.8
None Remote Medium Not required Partial Partial Partial
JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.
39 CVE-2019-10102 20 2019-07-03 2019-07-12
6.8
None Remote Medium Not required Partial Partial Partial
JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.
40 CVE-2019-10101 310 2019-07-03 2019-07-20
6.8
None Remote Medium Not required Partial Partial Partial
JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.
41 CVE-2019-10100 74 Exec Code 2019-07-03 2019-07-09
7.5
None Remote Low Not required Partial Partial Partial
In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The attacker could add an Issue macro to the page in Confluence, and use a combination of a valid id field and specially crafted code in the link-text-template field to execute code remotely.
42 CVE-2019-9873 255 2019-07-03 2019-07-10
5.0
None Remote Low Not required Partial None None
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
43 CVE-2019-9872 255 2019-07-03 2019-07-10
4.3
None Remote Medium Not required Partial None None
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
44 CVE-2019-9823 255 2019-07-03 2019-07-10
5.0
None Remote Low Not required Partial None None
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.
45 CVE-2019-9186 20 Exec Code 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.
Total number of vulnerabilities : 45   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.