In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default.
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters.
In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution.
In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed.
In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.
In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive
Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors.
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks
In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.
In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3.
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
In JetBrains TeamCity before 2021.1.2, user enumeration was possible.
JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
In JetBrains TeamCity before 2020.1.5, secure dependency parameters could be not masked in depending builds when there are no internal artifacts.
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
In JetBrains TeamCity before 2019.2.3, password parameters could be disclosed via build logs.
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
JetBrains IDETalk plugin before version 193.4099.10 allows XXE
In JetBrains TeamCity before 2019.1.2, access could be gained to the history of builds of a deleted build configuration under some circumstances.
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
JetBrains MPS before 2019.2.2 exposed listening ports to the network.