In JetBrains TeamCity before 2019.1.2, secure values could be exposed to users with the "View build runtime parameters and data" permission.
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
In JetBrains TeamCity before 2019.1.2, access could be gained to the history of builds of a deleted build configuration under some circumstances.
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log
JetBrains MPS before 2019.2.2 exposed listening ports to the network.
In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.
In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerable to brute force attacks
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases
The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.
In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.
In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user.
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log
In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default.
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
In JetBrains TeamCity before 2022.04.3 the private SSH key could be written to the server log in some cases
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection
In JetBrains TeamCity before 2020.1.5, the Guest user had access to audit records.
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.
In JetBrains TeamCity before 2020.1.5, secure dependency parameters could be not masked in depending builds when there are no internal artifacts.
In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.
In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.
In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.