In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
Server metadata could be exposed because one of the error messages reflected the whole response back to the client in JetBrains TeamCity versions before 2018.2.5 and UpSource versions before 2018.2 build 1293.
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.
Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors.
In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.
In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.
In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters.
In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default.
In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible.
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.
In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS.
In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.
In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters
JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
JetBrains MPS before 2019.2.2 exposed listening ports to the network.
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
In JetBrains TeamCity before 2025.11 path traversal was possible via file upload
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 information disclosure was possible via search_project function