+38/050/370-3627
+38/093/220-0872
+38/044/257-2444
Новости

JetBrains опубликовала JetBrains products Security Bulletin Q1 2019

JetBrains опубликовала JetBrains products Security Bulletin Q1 2019

В бюллетене JetBrains Security Bulletin Q1 2019 кратко изложены уязвимости безопасности, обнаруженные в продуктах JetBrains и исправленные в первом квартале 2019 года.

Security Bulletin включает проблемы, которые могут подвергнуть пользователя продукта или инфраструктуру проекта атакам типа «человек посередине», а именно:

  • resolving Gradle, Maven, and sbt project artifacts over an unencrypted connection in various projects; and
  • generating project templates in an IDE causing the above-mentioned issue in a user’s project.

Также проведена расширенную проверка механизма секретного хранения в настройках JetBrains IDE, а также выявлены и исправлены несколько случаев секретного хранения открытого текста.

Краткий отчет, который включает в себя уязвимый продукт, описание каждой проблемы, ее серьезность и версию продукта, содержащую исправление.

Product Description Severity Resolved in CVE/CWE
CLion The suggested WSL configuration exposed a local SSH server to the internal network (CPP-15063) Moderate No fix versions CWE-276
Documentation JetBrains GitHub repositories had a world-editable wiki.(DOC-6532) Reported by Bogdan Gagea Moderate No fix versions CWE-732
Hub A user password could appear in the audit events for certain server settings (JPF-7895) High 2018.4.11298 CVE-2019-12847
IntelliJ IDEA The default configuration for Spring Boot apps was not secure (IDEA-204439) High 2018.3.4, 2019.1 CVE-2019-9186
IntelliJ IDEA The application server configuration allowed cleartext storage of secrets(IDEA-201519, IDEA-202483, IDEA-203271) High 2018.1.8, 2018.2.8, 2018.3.5, 2019.1 CVE-2019-9872
IntelliJ IDEA The implementation of storage in the KeePass database was not secure (IDEA-200066) Low 2018.3, 2019.1 CWE-922
IntelliJ IDEA A certain application server configuration allowed cleartext storage of secrets (IDEA-199911) Low 2018.3 CWE-317
IntelliJ IDEA A certain application server configuration allowed cleartext storage of secrets (IDEA-203613) Moderate 2018.1.8, 2018.2.8, 2018.3.5 CWE-2019-9823
IntelliJ IDEA A certain remote server configurations allowed cleartext storage of secrets (IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557) High 2019.1 CVE-2019-9873
IntelliJ IDEA The run configuration of certain application servers allowed remote code execution while running the server with the default settings (IDEA-204570) High 2018.3.7, 2018.1.8, 2018.2.8, 2018.3.4 CVE-2019-10103, CVE-2019-10104
JetBrains Account An open redirect vulnerability via the backUrl parameter was detected (JPF-8899) Moderate No fix version CWE-601
JetBrains Account An open redirect vulnerability via the backUrl parameter was detected (JPF-8899) Moderate No fix version CWE-444
Kotlin The JetBrains Kotlin project was resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. Moderate 1.3.30 CVE-2019-10101
Kotlin Plugin IntelliJ IDEA projects created using the Kotlin IDE template were resolving artifacts using an http connection, potentially allowing an MITM attack. Moderate 1.3.30 CVE-2019-10102
Plugin Marketplace Some HTTP Security Headers were missing (MP-2004) Moderate No fix version CWE-693
Plugin Marketplace A reflected XSS was detected (MP-2001) Moderate No fix version CWE-79
Plugin Marketplace A CSRF vulnerability was detected (MP-2002) Moderate No fix version CWE-352
PyCharm A certain remote server configuration allowed cleartext storage of secrets (PY-32885) Moderate 2018.3.2 CWE-209
TeamCity A possible stored JavaScript injection was detected (TW-59419) Moderate 2018.2.3 CVE-2019-12844
TeamCity The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts (TW-59379) Moderate 2018.2.3 CVE-2019-12845
TeamCity A possible stored JavaScript injection requiring a deliberate server administrator action was detected (TW-55640) Moderate 2018.2.3 CVE-2019-12843
TeamCity Incorrect handling of user input in ZIP extraction (TW-57143) Moderate 2018.2.2 CVE-2019-12841
TeamCity A reflected XSS on a user page was detected (TW-58661) Moderate 2018.2.2 CVE-2019-12842
TeamCity A user without the required permissions could gain access to some settings (TW-58571) Moderate 2018.2.2 CVE-2019-12846
TeamCity An SSRF attack was possible on a YouTrack server (JT-51121) High 2018.4.49168 CVE-2019-12852
YouTrack An Insecure Direct Object Reference was possible (JT-51103) Low 2018.4.49168 CVE-2019-12866
YouTrack Certain actions could cause privilege escalation for issue attachments (JT-51080) Moderate 2018.4.49168 CVE-2019-12867
YouTrack A query injection was possible (JT-51105) Low 2018.4.49168 CVE-2019-12850
YouTrack Licensing An unauthorized disclosure of license details to an attacker #2 was possible (JT-51117) Low No fix version CWE-284
YouTrack Licensing A reflected XSS was detected (JT-51074) Low No fix version CWE-79
YouTrack A CSRF vulnerability was detected in one of admin endpoints (JT-51110) Moderate 2018.4.49852 CVE-2019-12851
YouTrack Integration Plugin The YouTrack Confluence plugin allowed the SSTI vulnerability (JT-51594) Moderate 1.8.1.3 CVE-2019-10100

Другие новости