Search Vulnerabilities

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields

JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.

In JetBrains YouTrack Mobile before 2021.2, iOS URL scheme hijacking is possible.

In JetBrains YouTrack Mobile before 2021.2, the client-side cache on iOS could contain sensitive information.

JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.

In JetBrains YouTrack Mobile before 2021.2, access token protection on iOS is incomplete.

In JetBrains YouTrack Mobile before 2021.2, access token protection on Android is incomplete.

In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible.

In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS.

In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation.

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.

In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.

In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.

In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS.