In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
In JetBrains TeamCity before 2020.1.5, secure dependency parameters could be not masked in depending builds when there are no internal artifacts.
JetBrains IDETalk plugin before version 193.4099.10 allows XXE
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log
JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.
JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.
In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
In JetBrains TeamCity before 2019.2.3, password parameters could be disclosed via build logs.
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS.
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.
In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
In JetBrains TeamCity before 2020.1.5, the Guest user had access to audit records.
In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via snapshot dependencies
In JetBrains TeamCity before 2021.1.2, user enumeration was possible.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.
Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors.
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.