In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
In JetBrains TeamCity before 2021.1.2, user enumeration was possible.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible.
In JetBrains Rider before 2023.3.3 logging of environment variables containing secret values was possible
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.
In the JetBrains Scala plugin before 2019.2.1, some artefact dependencies were resolved over unencrypted connections.
In JetBrains TeamCity before 2019.1.2, access could be gained to the history of builds of a deleted build configuration under some circumstances.
JetBrains IDETalk plugin before version 193.4099.10 allows XXE
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
JetBrains MPS before 2019.2.2 exposed listening ports to the network.
In JetBrains TeamCity before 2019.1.2, secure values could be exposed to users with the "View build runtime parameters and data" permission.
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
Server metadata could be exposed because one of the error messages reflected the whole response back to the client in JetBrains TeamCity versions before 2018.2.5 and UpSource versions before 2018.2 build 1293.
The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference
In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.
In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.
In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
In JetBrains TeamCity before 2023.11.2 limited directory traversal was possible in the Kotlin DSL documentation
In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive
In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible