Hub
by Jetbrains
CVEs (36)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-24327 | 0.00 | — | 0.01 | Feb 25, 2022 | In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions. | |||
| CVE-2021-43180 | 0.00 | — | 0.01 | Nov 9, 2021 | In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible. | |||
| CVE-2021-43182 | 0.00 | — | 0.01 | Nov 9, 2021 | In JetBrains Hub before 2021.1.13415, a DoS via user information is possible. | |||
| CVE-2021-43181 | 0.00 | — | 0.01 | Nov 9, 2021 | In JetBrains Hub before 2021.1.13690, stored XSS is possible. | |||
| CVE-2021-43183 | 0.00 | — | 0.01 | Nov 9, 2021 | In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed. | |||
| CVE-2021-37541 | 0.00 | — | 0.01 | Aug 6, 2021 | In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible. | |||
| CVE-2021-37540 | 0.00 | — | 0.01 | Aug 6, 2021 | In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used. | |||
| CVE-2021-36209 | 0.00 | — | 0.01 | Aug 6, 2021 | In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. | |||
| CVE-2021-31901 | 0.00 | — | 0.01 | May 11, 2021 | In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group. | |||
| CVE-2021-25760 | 0.00 | — | 0.01 | Feb 3, 2021 | In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible. | |||
| CVE-2021-25759 | 0.00 | — | 0.01 | Feb 3, 2021 | In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user. | |||
| CVE-2021-25757 | 0.00 | — | 0.01 | Feb 3, 2021 | In JetBrains Hub before 2020.1.12629, an open redirect was possible. | |||
| CVE-2020-11691 | 0.00 | — | 0.01 | Apr 22, 2020 | In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible. | |||
| CVE-2019-18360 | 0.00 | — | 0.01 | Oct 31, 2019 | In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery. | |||
| CVE-2019-14955 | 0.00 | — | 0.01 | Oct 1, 2019 | In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented. | |||
| CVE-2019-12847 | 0.00 | — | 0.01 | Jul 3, 2019 | In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period. |
- CVE-2022-24327Feb 25, 2022risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
- CVE-2021-43180Nov 9, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
- CVE-2021-43182Nov 9, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.
- CVE-2021-43181Nov 9, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
- CVE-2021-43183Nov 9, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
- CVE-2021-37541Aug 6, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
- CVE-2021-37540Aug 6, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
- CVE-2021-36209Aug 6, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
- CVE-2021-31901May 11, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.
- CVE-2021-25760Feb 3, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
- CVE-2021-25759Feb 3, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.
- CVE-2021-25757Feb 3, 2021risk 0.00cvss —epss 0.01
In JetBrains Hub before 2020.1.12629, an open redirect was possible.
- CVE-2020-11691Apr 22, 2020risk 0.00cvss —epss 0.01
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
- CVE-2019-18360Oct 31, 2019risk 0.00cvss —epss 0.01
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
- CVE-2019-14955Oct 1, 2019risk 0.00cvss —epss 0.01
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
- CVE-2019-12847Jul 3, 2019risk 0.00cvss —epss 0.01
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
Page 2 of 2