In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
In JetBrains TeamCity before 2025.11 path traversal was possible via file upload
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 information disclosure was possible via search_project function
In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
In the JetBrains Scala plugin before 2019.2.1, some artefact dependencies were resolved over unencrypted connections.
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference
In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS.
In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
JetBrains IDETalk plugin before version 193.4099.10 allows XXE
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks
In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters.
In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings
In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3.
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.
In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI.
JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.
JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).
Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.