Auto Added by WPeMatico

JetBrains Security Bulletin Q2 2020

In the second quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore Stack trace disclosure. (DL-7350) Low Not applicable CWE-536
Datalore Reverse tabnabbing was possible. (DL-7708) Low Not applicable CWE-1022
JetBrains Account Throttling for reset password functionality was missing if 2FA was enabled. Reported by Manu Pranav. (JPF-10527) Medium 2020.06 CWE-799
JetBrains Website Stack trace disclosure in case of an incorrect character in request. (JS-12490) Low Not applicable CWE-536
JetBrains Website Reflected XSS on subdomain. Reported by Ritik Chaddha. (JS-12562) Low Not applicable CWE-79
JetBrains Website Open-redirect issues on Reported by Ritik Chaddha. (JS-12581) Low Not applicable CWE-601
JetBrains Website Clickjacking was possible on a non-existent page. Reported by Pravas Ranjan Kanungo. (JS-12835) Low Not applicable CWE-1021
YouTrack Subtasks workflow could disclose the existence of an issue. (JT-45316) Low 2020.2.8527 CVE-2020-15818
YouTrack An external user could execute commands against arbitrary issues. (JT-56848) High 2020.1.1331 CVE-2020-15817
YouTrack SSRF vulnerability that allowed scanning internal ports. Reported by Evren Yalçın. (JT-56917) Low 2020.2.10643 CVE-2020-15819
YouTrack It was possible to change a redirect from any existing YouTrack InCloud instance to another instance. (JT-57036) Medium 2020.1.3588 CWE-601
YouTrack The markdown parser could disclose the existence of a hidden file. (JT-57235) Low 2020.2.6881 CVE-2020-15820
YouTrack A user without the appropriate permissions could create an article draft. (JT-57649) Medium 2020.2.6881 CVE-2020-15821
YouTrack The AWS metadata of a YouTrack InCloud instance was disclosed via SSRF in a workflow. Reported by Yurii Sanin. (JT-57964) High 2020.2.8873 CVE-2020-15823
YouTrack SSRF was possible because URL filtering could be escaped. Reported by Yurii Sanin. (JT-58204) Low 2020.2.10514 CVE-2020-15822
Kotlin Script cache privilege escalation vulnerability. Reported by Henrik Tunedal. (KT-38222) Medium 1.4.0 CVE-2020-15824
Space Draft title was disclosed to a user without access to the draft. (SPACE-5594) Low Not applicable CWE-200
Space A missing authorization check caused privilege escalation. Reported by Callum Carney. (SPACE-8034) High Not applicable CWE-266
Space Blind SSRF via calendar import. Reported by Yurii Sanin. (SPACE-8273) Medium Not applicable CWE-918
Space Drafts of direct messages sent from the iOS app could be sent to the channel. (SPACE-8377) Low Not applicable CWE-200
Space Chat messages were propagated to the browser console. (SPACE-8386) High Not applicable CWE-215
Space Missing authentication checks in Space Automation. (SPACE-8431) Critical Not applicable CWE-306
Space Missing authentication checks in Job-related API. (SPACE-8822) Low Not applicable CWE-306
Space Incorrect checks of public key content. (SPACE-9169) Medium Not applicable CWE-287
Space Stored XSS via repository resource. (SPACE-9277) High Not applicable CWE-79
Toolbox App Missing signature on “jetbrains-toolbox.exe”. (TBX-4671) Low 1.17.6856 CVE-2020-15827
TeamCity Users were able to assign more permissions than they had. (TW-36158) Low 2020.1 CVE-2020-15826
TeamCity Users with the “Modify group” permission could elevate other users’ privileges. (TW-58858) Medium 2020.1 CVE-2020-15825
TeamCity Password parameters could be disclosed via build logs. (TW-64484) Low 2019.2.3 CVE-2020-15829
TeamCity Project parameter values could be retrieved by a user without the appropriate permissions. (TW-64587) High 2020.1.1 CVE-2020-15828
TeamCity Reflected XSS on administration UI. (TW-64668) High 2019.2.3 CVE-2020-15831
TeamCity Stored XSS on administration UI. (TW-64699) High 2019.2.3 CVE-2020-15830
Upsource Unauthorized access was possible through an error in accounts linking. (SDP-940) Low 2020.1 CVE-2019-19704

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

Continue ReadingJetBrains Security Bulletin Q2 2020

Toolbox App 1.17 is Out: Quality Improvements Arrive with a New Build Completely Rewritten in Kotlin

TL;DR Focusing on the quality of the Toolbox App, we have completely rewritten it in Kotlin. We’ve introduced a new Settings page, updated system requirements, and fixed dozens of bugs.

Toolbox App 1.17 Released

In this update, we’ve focused on bug fixes and on the overall quality of the Toolbox App.

The story

The Toolbox App began as a Hackathon project, though it had a different name. The state of the technology was very different at the time, however. Java was still in version 8, and Kotlin had not been released yet. We decided to try something new, so we implemented the core of the application in C++, and for the UI we used React with our own Ring UI library. This latter part has stayed with us through all these years and has proved itself to be successful. The elegant and polished interface is not only pleasing for the eyes, but it is also easy to develop and allows us to effortlessly present rich content in the “What’s new” notes for our products.

On the other hand, the core written in C++ is different. C++ is a powerful language (sometimes too powerful for our use case), and it often requires a “gloves-on” approach. Every time we switched to it from other projects that used Kotlin, we weren’t as productive as we had been before. It was also impossible to share code between the IntelliJ Platform and the Toolbox App, which would have benefitted both parties. The tool landscape has also changed. With the arrival of modular JDK, it is now possible to bundle a very small runtime with the app or even compile it to native code with Kotlin/Native.

With all this in mind, we made a decision last year to rewrite the core of the Toolbox App in Kotlin, and we are now happy to present the result. In this first iteration, we deliberately made as few changes as possible and stayed close to the original codebase, except, of course, for some third-party dependencies that we needed to replace with their JVM counterparts. Luckily there is no lack of high-quality Java libraries out there. You can easily find one for every purpose.

We didn’t want to repeat the same mistakes though, so when we needed to rewrite something from scratch, we fixed some bugs in the relevant components, as well. Below is a brief overview of the changes we’ve made.

Download the Toolbox App

Bug fixes

Depending on your preferred operating system, we’ve reimplemented the system tray icon (on Windows), menu bar icon (on macOS), and appindicator (on Linux). It now correctly appears in most cases and is no longer blurred on HiDPI screens. Improved screen detection also fixes a number of issues with incorrect application scaling. Many performance issues have been resolved, as well.

On Linux, JetBrains Account credentials are now stored correctly and the app handles SSL certificates better.

You can find the full list of resolved issues here.

Proxy servers

Previously, the Toolbox App always used the system proxy if it was set. It wasn’t possible to change the proxy address or to turn it off. There is now a dedicated page in Settings for setting up a custom proxy server and enabling and disabling it when necessary.

Proxy Settings


Speaking of settings, we’re happy to introduce the revamped Settings page. We’ve regrouped all options and made the most important categories available at a glance.

Toolbox App 1.17 Settings

System requirements

As we’ve previously announced, we are dropping support for 32-bit Windows. We are also updating the minimum supported OS versions to Windows 8 or newer and macOS 10.13 or newer. This change brings our system requirements into alignment with those of all the JetBrains IDEs which will not run on older OS versions. For Linux, we generally support only the latest regular and LTS releases.

Even though there might be not so many visible changes in the application, this update builds a solid foundation for future improvements. We are already working on some of the suggestions you shared with us on New Year’s Eve.

Thank you for your collaboration and your helpful feedback! We are listening!

Download the Toolbox App

Stay home, stay healthy, and stay tuned!
The Toolbox App team

Continue ReadingToolbox App 1.17 is Out: Quality Improvements Arrive with a New Build Completely Rewritten in Kotlin

JetBrains Toolbox 2020.1 is Available: Update Your Tools

The time has come to update your tools and start using their new features. All the JetBrains IDEs are now polished and new, ready for you to create something great.

Take a look at this short summary of what you can find in the new versions of the JetBrains IDEs.
We would also like to remind you that the easiest way to update your tools is via the Toolbox App.

Download the Toolbox App

IntelliJ IDEA

IntelliJ IDEA 2020.1 adds support for Java 14 and new features for a number of frameworks, upgrades the debugger with dataflow analysis assistance, adds a new LightEdit mode, and downloads and configures the JDK for you. You will also discover new in-place Rename and Change Signature refactorings, in-editor rendering of Javadocs, lots of VCS improvements, and so much more.

WebStorm 2020.1 comes with a more polished look and feel, out-of-the-box support for Vuex and Vue Composition API, an option for running Prettier on save, and some improvements for JavaScript and TypeScript.


Rider 2020.1 features the new .NET Core edition and Xamarin Hot Reload. Profiling is now easier with a brand new feature called Dynamic Program Analysis. The editor’s severity can now be configured with one click, and Unity developers benefit from lots of major updates and fixes.

PhpStorm 2020.1 provides out-of-the-box support for composer.json, PHP type inference improvements, support for code coverage with PCOV and PHPDBG, PHPUnit toolbox, the Grazie grammar checker, and many other improvements.

GoLand 2020.1 includes a variety of upgrades for Go Modules support, code-editing features that require little to no interaction from the user, an expanded code completion family, and more!

PyCharm 2020.1brings a lot of things that make development easier, like interactive rebasing, smart debugging, and more. It is now possible to turn the commit dialog into a tool window that’s open next to your code. In the debugger, what used to be Smart Step Into has become even smarter yet and is now the default Step Into.

CLion 2020.1 brings dozens of improvements across many IDE features. This includes CUDA support, formatter and refactoring enhancements, deeper integration with Clang-based tools, and new options in Run/Debug configurations. For Windows developers the new version comes with support for the Clang-cl compiler, while for Embedded projects CLion adds IAR compiler support and an experimental PlatformIO plugin.

RubyMine 2020.1 improves navigation between Rails entities and adds smarter code assistance. Setting up run configurations, SSH, and Docker are now more convenient. The new LightEdit mode allows you to quickly edit files without loading a project. This update also includes improvements for version control, the terminal, JS, and database tools.

AppCode 2020.1 brings completion during indexing, faster code assistance in pure Swift and mixed projects, the generation of documentation comments, new inspections and intentions, the Type Hierarchy view for Swift, and new sorting modes for the Swift Structure view.

ReSharper Ultimate 2020.1 offers support for more C# 8.0 and C++20 features, Dataflow Analysis for integer values, and some performance modifications under ReSharper’s hood. Also, ReSharper C++ includes better code completion, new inspections with quick-fixes, and initial HLSL support.

ReSharper C++ 2020.1 includes more support for C++20 features, better code completion, and new inspections with quick-fixes. For game developers, this release better aligns with Unreal Engine 4 guidelines and introduces initial HLSL support.

DataGrip 2020.1 makes it possible to run configurations and export to Excel. It also includes results in the editor, geo viewer, and more!

In the meantime, all the product teams have started working on the newest features and upcoming EAPs for the 2020.2 release. Stay tuned to the dedicated product blogs for news about their progress. And don’t forget to follow us on Twitter.

Stay home, stay healthy, have fun!
The JetBrains team

Continue ReadingJetBrains Toolbox 2020.1 is Available: Update Your Tools

JetBrains Security Bulletin Q1 2020

In the first quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

Product Description Severity Resolved in CVE/CWE
Datalore User’s SSH key can be deleted without appropriate permissions. Reported by Callum Carney (DL-7833) Moderate Not applicable CWE-639
Datalore SSRF could be caused by an attached file. Reported by Callum Carney (DL-7836) High Not applicable CWE-918
GoLand Plain HTTP was used to access plugin repository (GO-8694) Low 2019.3.2 CVE-2020-11685
IntelliJ IDEA License server could be resolved to untrusted host in some cases (IDEA-219748) High 2020.1 CVE-2020-11690
JetBrains Account Non-unique QR codes were generated during consequent attempts to set up 2FA (JPF-10149) Low 2020.01 CWE-342
JetBrains Account Clickjacking was possible on a JetBrains Account page. Reported by Raja Ahtisham (JPF-10154) Moderate 2020.01 CWE-1021
JetBrains Account Customer name enumeration by numeric customer ID was possible (JPF-10159, JPF-10301) High 2020.03 CWE-200
JetBrains Account Country value coming from a user wasn’t correctly validated (JPF-10258) High 2020.02 CWE-285
JetBrains Account Information disclosure from JetBrains Account was possible via the “Back” button. Reported by Ratnadip Gajbhiye (JPF-10266) Low 2020.02 CWE-200
JetBrains Website Reflected XSS at was possible. Reported by Rahad Chowdhury (JS-11769) High Not applicable CWE-79
Hub Content spoofing at Hub OAuth error message was possible (JPS-10093) Moderate 2020.1.12099 CVE-2020-11691
Plugin Marketplace Uploading malicious file via Screenshots form could cause XSS (MP-2637) Moderate Not applicable CWE-79
PyCharm Apple Notarization Service credentials were included in PyCharm distributive for Windows. Reported by Ruby Nealon (IDEA-232217) High 2019.3.3, 2019.2.6 CVE-2020-11694
Space Session timeout period was configured improperly (SPACE-4717) Low Not applicable CVE-2020-11795
Space Stored XSS in Space chats was possible. Reported by Callum Carney (SPACE-6556) Moderate Not applicable CVE-2020-11416
Space Password authentication implementation was insecure (SPACE-7282) High Not applicable CVE-2020-11796
TeamCity Password values were shown not being masked on several pages (TW-64186) Low 2019.2.2 CVE-2020-11687
TeamCity Project administrator was able to see scrambled password parameters used in a project (TW-58099) Moderate 2019.2.2 CVE-2020-11938
TeamCity Project administrator was able to retrieve some TeamCity server settings (TW-61626) Low 2019.1.4 CVE-2020-11686
TeamCity Application state kept alive after a user ended their session (TW-61824) Low 2019.2.1 CVE-2020-11688
TeamCity A user without appropriate permissions was able import settings from settings.kts (TW-63698) Low 2019.2.1 CVE-2020-11689
YouTrack DB export was accessible to read-only administrators (JT-56001) Low 2020.1.659 CVE-2020-11692
YouTrack DoS could be performed by attaching a malformed TIFF to an issue. Reported by Chris Smith (JT-56407) High 2020.1.659 CVE-2020-11693

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

Continue ReadingJetBrains Security Bulletin Q1 2020

The JetBrains Toolbox browser extension now works on self-hosted GitHub, GitLab, and Bitbucket instances

We’ve updated the JetBrains Toolbox browser extension for Chrome and Firefox. It can now clone and open files from private instances in JetBrains IDEs, whether you use corporate repositories at GitHub Enterprise or self-hosted GitLab or Bitbucket instances.

Install the extension

Please keep in mind that to start using this extension with private instances, you first need to enable it on your custom domain. Follow the steps below:

  1. Install the extension if you haven’t yet done so.
  2. Right-click the Toolbox extension icon on the browser toolbar to open its preferences.
  3. Tick “Enable on this domain” to enable the extension on the current webpage.

Toolbox extension at GitHub Enterprise

Now the Toolbox extension should work on your self-hosted instances, giving you access to the functionality that was previously available for open-source repository hosting services:

  • Clone projects from the main GitHub, GitLab, and Bitbucket repositories, and open them in available JetBrains IDEs.
  • Navigate from a highlighted line of code in a previously cloned GitHub project to that line in your IDE.

Read more about the main features of the Toolbox extension in this blogpost.

Stay home, stay healthy, stay productive!
The JetBrains Toolbox team

Continue ReadingThe JetBrains Toolbox browser extension now works on self-hosted GitHub, GitLab, and Bitbucket instances

20 Years of JetBrains, 20 Years of Progress, 20 Years of Evolving Together

Today we, JetBrains, turn 20 years old! Yet our passion and exuberance for the world of software development is just as strong as ever. We are still learning every day, and we are curious about what the future holds. Our founding principle is making professional software development a more enjoyable and productive experience for both individuals and teams. We are trying to discover new ways to help others bring their solutions into the world.

It has been an exciting 20 years and an amazing start to the millenium. We have come a long way in these 20 years and we’d like to invite you to look back at our journey together.

Check out 20 Years of JetBrains Highlights

We’ve grown from a company of three, working in Prague with a single product serving 800 customers, to a team of over 1,250 employees in 9 offices worldwide, with 25 developer tools and trusted by over 8 million users.

Back in 2000, the popular languages were C++, Java, C, and PHP, and they were in use by a population of around only 3.3 million professional developers. We began with IntelliJ IDEA for Java and evolved with the rise of .NET, new technologies, and new ways of working. We supported developers through this evolution with new tools such as ReSharper, RubyMine, WebStorm, PhpStorm, and PyCharm.

We’ve always considered effective teamwork to be integral to success. And, based on our own needs, we’ve created tools like TeamCity, YouTrack, and Upsource to help teams work more effectively. Our latest product, JetBrains Space, is our next step on the way to offering comprehensive support for creative teams.

Now, a new wave of technology, like data science, machine learning, augmented reality, and artificial intelligence, is forging the future, and the top languages of today will need tools to help support them in these development niches. JetBrains will be there continuing to develop our tools to be on the cutting edge of development practices and technologies.

JetBrains 20 Years

Our support for development does not stop with our tools. Our community-focused and educational initiatives are just as important to us. We are committed to open-source development. Since we first began, we have provided over 4.8 million free licenses to open source and education.

Our own open-source programming language, Kotlin, has gone from strength to strength adapting to meet the needs of this world’s rapidly developing technology. Kotlin was designed to be a pragmatic tool for programmers and continues to increase in popularity. It won the Breakout Project of the Year award at OSCON ’19, and it has become the preferred programming language for Android.

20 Years of JetBrains, 20 years of progress and change, 20 years of evolving together. You can see just how far we’ve come in our Annual Highlights 2019 report.

We could not have done this without the support of our users, our team, and our community. We will continue to keep pace with the latest technologies, so you can keep working on what is most important to you. Our tools speed up production, freeing developers to grow, discover and create. This will always be true. Thank you for being with us on this amazing journey, and here’s to the next 20 years!

The Drive to Develop

Continue Reading20 Years of JetBrains, 20 Years of Progress, 20 Years of Evolving Together

End of content

No more pages to load