In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.
In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters.
In JetBrains TeamCity version before 2022.10, Password parameters could be exposed in the build log if they contained special characters
In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks
In JetBrains TeamCity version before 2022.10, Project Viewer could see scrambled secure values in the MetaRunner settings
In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3.
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
JetBrains TeamCity Plugin before 2020.2.85695 SSRF. Vulnerability that could potentially expose user credentials.
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains TeamCity before 2021.1, information disclosure via the Docker Registry connection dialog is possible.
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3.
In JetBrains Upsource before 2020.1, information disclosure is possible because of an incorrect user matching algorithm.
JetBrains IDETalk plugin before version 193.4099.10 allows XXE
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
JetBrains IdeaVim before version 0.58 might have caused an information leak in limited circumstances.
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI.
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
In the JetBrains Scala plugin before 2019.2.1, some artefact dependencies were resolved over unencrypted connections.
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.
In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS.
A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
EnroCrypt is a Python module for encryption and hashing. Prior to version 1.1.4, EnroCrypt used the MD5 hashing algorithm in the hashing file. Beginners who are unfamiliar with hashes can face problems as MD5 is considered an insecure hashing algorithm. The vulnerability is patched in v1.1.4 of the product. As a workaround, users can remove the `MD5` hashing function from the file `hashing.py`.
beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.
Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3.
A vulnerability was found in NFine Rapid Development Platform 20230511. It has been classified as problematic. Affected is an unknown function of the file /Login/CheckLogin. The manipulation leads to use of weak hash. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. VDB-229974 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. The vulnerability has been patched in release 1.7. Currently, there is no way to fix the issue without upgrading.
Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially.
IBM Sterling Secure Proxy 6.0.0.0 through 6.0.3.1, 6.1.0.0 through 6.1.0.0, and 6.2.0.0 through 6.2.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.