JetBrains
Security
JetBrains Security Bulletin Q4 2021
In the fourth quarter of 2021, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.
| Product | Description | Severity | Resolved in | CVE/CWE |
| Datalore | Another user’s database could be attached (DL-9779) | High | Not applicable | Not applicable |
| Hub | JetBrains Account integration exposed API keys with excessive permissions. Reported by Yurii Sanin (HUB-10958) | High | 2021.1.13890 | CVE-2022-24327 |
| Hub | An unprivileged user could perform a DoS. Reported by Yurii Sanin (HUB-10976) | High | 2021.1.13956 | CVE-2022-24328 |
| IntelliJ IDEA | Code could be executed without the user’s permission on opening a project (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917) | Medium | 2021.2.4 | CVE-2022-24345 |
| IntelliJ IDEA | Potential LCE via RLO (Right-to-Left Override) characters (IDEA-284150) | Medium | 2021.3.1 | CVE-2022-24346 |
| JetBrains Blog | Blind SQL injection. Reported by Khan Janny (BLOG-45) | Medium | Not applicable | Not applicable |
| Kotlin | No ability to lock dependencies for Kotlin Multiplatform Gradle projects. Reported by Carter Jernigan (KT-49449) | Medium | 1.6.0 | CVE-2022-24329 |
| Kotlin websites | Clickjacking at kotlinlang.org (KTL-588) | Medium | Not applicable | Not applicable |
| Remote Development | Unexpected open port on backend server. Please refer to this blog post for additional details. Reported by Damian Gwiżdż (GTW-894) | High | Not 2021.3.1 | CVE-2021-45977 |
| Space | Missing permission check in an HTTP API response (SPACE-15991) | High | Not applicable | Not applicable |
| TeamCity | A redirect to an external site was possible (TW-71113) | Low | 2021.2.1 | CVE-2022-24330 |
| TeamCity | Logout failed to remove the “Remember Me” cookie (TW-72969) | Low | 2021.2 | CVE-2022-24332 |
| TeamCity | GitLab authentication impersonation. Reported by Christian Pedersen (TW-73375) | High | 2021.1.4 | CVE-2022-24331 |
| TeamCity | The “Agent push” feature allowed any private key on the server to be selected (TW-73399) | Low | 2021.2.1 | CVE-2022-24334 |
| TeamCity | Blind SSRF via an XML-RPC call. Reported by Artem Godin (TW-73465) | Medium | 2021.2 | CVE-2022-24333 |
| TeamCity | Time-of-check/Time-of-use (TOCTOU) vulnerability in agent registration via XML-RPC. Reported by Artem Godin (TW-73468) | High | 2021.2 | CVE-2022-24335 |
| TeamCity | An unauthenticated attacker could cancel running builds via an XML-RPC request to the TeamCity server. Reported by Artem Godin (TW-73469) | Medium | 2021.2.1 | CVE-2022-24336 |
| TeamCity | Pull-requests’ health items were shown to users without appropriate permissions (TW-73516) | Low | 2021.2 | CVE-2022-24337 |
| TeamCity | Stored XSS. Reported by Yurii Sanin (TW-73737) | Medium | 2021.2.1 | CVE-2022-24339 |
| TeamCity | URL injection leading to CSRF. Reported by Yurii Sanin (TW-73859) | Medium | 2021.2.1 | CVE-2022-24342 |
| TeamCity | Changing a password failed to terminate sessions of the edited user (TW-73888) | Low | 2021.2.1 | CVE-2022-24341 |
| TeamCity | XXE during the parsing of a configuration file (TW-73932) | Medium | 2021.2.1 | CVE-2022-24340 |
| TeamCity | Reflected XSS (TW-74043) | Medium | 2021.2.1 | CVE-2022-24338 |
| TeamCity | Stored XSS on the Notification templates page (JT-65752)) | Low | 2021.4.31698 | CVE-2022-24344 |
| YouTrack | A custom logo could be set with read-only permissions (JT-66214) | Low | 2021.4.31698 | CVE-2022-24343 |
| YouTrack | Stored XSS via project icon. Reported by Yurii Sanin (JT-67176) | Medium | 2021.4.36872 | CVE-2022-24347 |
If you need any further assistance, please contact our Security Team.
Subscribe to receive the bulletin in your mailbox.
Your JetBrains Team
The Drive to Develop
Subscribe to JetBrains Blog updates
