Vendor CVEs
Jetbrains
All CVEs
564 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-24456 | 0.00 | — | 0.00 | Jan 21, 2025 | In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping | |||
| CVE-2024-56356 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack | |||
| CVE-2024-56354 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission | |||
| CVE-2024-56353 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies | |||
| CVE-2024-56351 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles | |||
| CVE-2024-56350 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects | |||
| CVE-2024-56349 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs | |||
| CVE-2024-56348 | 0.00 | — | 0.00 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents | |||
| CVE-2024-54158 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding | |||
| CVE-2024-54157 | 0.00 | — | 0.01 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector | |||
| CVE-2024-54156 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack | |||
| CVE-2024-54155 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication | |||
| CVE-2024-54154 | 0.00 | — | 0.01 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox | |||
| CVE-2024-54153 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter | |||
| CVE-2024-52555 | 0.00 | — | 0.00 | Nov 15, 2024 | In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script | |||
| CVE-2024-50574 | 0.00 | — | 0.01 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality | |||
| CVE-2024-50573 | 0.00 | — | 0.00 | Oct 28, 2024 | In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services | |||
| CVE-2024-49580 | 0.00 | — | 0.00 | Oct 17, 2024 | In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure | |||
| CVE-2024-49579 | 0.00 | — | 0.00 | Oct 17, 2024 | In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests | |||
| CVE-2024-48902 | 0.00 | — | 0.00 | Oct 10, 2024 | In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API | |||
| CVE-2024-47951 | 0.00 | — | 0.01 | Oct 8, 2024 | In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings | |||
| CVE-2024-47950 | 0.00 | — | 0.01 | Oct 8, 2024 | In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings | |||
| CVE-2024-47949 | 0.00 | — | 0.23 | Oct 8, 2024 | In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location | |||
| CVE-2024-47948 | 0.00 | — | 0.01 | Oct 8, 2024 | In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups | |||
| CVE-2024-47161 | 0.00 | — | 0.00 | Oct 8, 2024 | In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API | |||
| CVE-2024-47162 | 0.00 | — | 0.00 | Sep 19, 2024 | In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page | |||
| CVE-2024-47160 | 0.00 | — | 0.00 | Sep 19, 2024 | In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible | |||
| CVE-2024-47159 | 0.00 | — | 0.00 | Sep 19, 2024 | In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project | |||
| CVE-2024-46970 | 0.00 | — | 0.00 | Sep 16, 2024 | In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible | |||
| CVE-2024-43809 | 0.00 | — | 0.00 | Aug 16, 2024 | In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page | |||
| CVE-2024-43808 | 0.00 | — | 0.00 | Aug 16, 2024 | In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin | |||
| CVE-2024-43114 | 0.00 | — | 0.00 | Aug 6, 2024 | In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions | |||
| CVE-2024-41829 | 0.00 | — | 0.00 | Jul 22, 2024 | In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection | |||
| CVE-2024-41828 | 0.00 | — | 0.00 | Jul 22, 2024 | In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time | |||
| CVE-2024-41827 | 0.00 | — | 0.00 | Jul 22, 2024 | In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration | |||
| CVE-2024-41826 | 0.00 | — | 0.00 | Jul 22, 2024 | In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page | |||
| CVE-2024-41824 | 0.00 | — | 0.00 | Jul 22, 2024 | In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases | |||
| CVE-2024-39879 | 0.00 | — | 0.00 | Jul 1, 2024 | In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings | |||
| CVE-2024-39878 | 0.00 | — | 0.00 | Jul 1, 2024 | In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection | |||
| CVE-2024-38507 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible | |||
| CVE-2024-38506 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows | |||
| CVE-2024-38505 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site | |||
| CVE-2024-38504 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles | |||
| CVE-2024-36470 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases | |||
| CVE-2024-36378 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens | |||
| CVE-2024-36377 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions | |||
| CVE-2024-36376 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions | |||
| CVE-2024-36375 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed | |||
| CVE-2024-36368 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible | |||
| CVE-2024-36365 | 0.00 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent |
- CVE-2025-24456Jan 21, 2025risk 0.00cvss —epss 0.00
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
- CVE-2024-56356Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack
- CVE-2024-56354Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission
- CVE-2024-56353Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies
- CVE-2024-56351Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
- CVE-2024-56350Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
- CVE-2024-56349Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs
- CVE-2024-56348Dec 20, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
- CVE-2024-54158Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
- CVE-2024-54157Dec 4, 2024risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
- CVE-2024-54156Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
- CVE-2024-54155Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
- CVE-2024-54154Dec 4, 2024risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
- CVE-2024-54153Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
- CVE-2024-52555Nov 15, 2024risk 0.00cvss —epss 0.00
In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script
- CVE-2024-50574Oct 28, 2024risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
- CVE-2024-50573Oct 28, 2024risk 0.00cvss —epss 0.00
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
- CVE-2024-49580Oct 17, 2024risk 0.00cvss —epss 0.00
In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure
- CVE-2024-49579Oct 17, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
- CVE-2024-48902Oct 10, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
- CVE-2024-47951Oct 8, 2024risk 0.00cvss —epss 0.01
In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings
- CVE-2024-47950Oct 8, 2024risk 0.00cvss —epss 0.01
In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings
- CVE-2024-47949Oct 8, 2024risk 0.00cvss —epss 0.23
In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location
- CVE-2024-47948Oct 8, 2024risk 0.00cvss —epss 0.01
In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups
- CVE-2024-47161Oct 8, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
- CVE-2024-47162Sep 19, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
- CVE-2024-47160Sep 19, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
- CVE-2024-47159Sep 19, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
- CVE-2024-46970Sep 16, 2024risk 0.00cvss —epss 0.00
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible
- CVE-2024-43809Aug 16, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
- CVE-2024-43808Aug 16, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin
- CVE-2024-43114Aug 6, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07.1 possible privilege escalation due to incorrect directory permissions
- CVE-2024-41829Jul 22, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
- CVE-2024-41828Jul 22, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time
- CVE-2024-41827Jul 22, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration
- CVE-2024-41826Jul 22, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
- CVE-2024-41824Jul 22, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.07 parameters of the "password" type could leak into the build log in some specific cases
- CVE-2024-39879Jul 1, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.03.3 application token could be exposed in EC2 Cloud Profile settings
- CVE-2024-39878Jul 1, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.03.3 private key could be exposed via testing GitHub App Connection
- CVE-2024-38507Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
- CVE-2024-38506Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
- CVE-2024-38505Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
- CVE-2024-38504Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
- CVE-2024-36470May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases
- CVE-2024-36378May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.03.2 server was susceptible to DoS attacks with incorrect auth tokens
- CVE-2024-36377May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions
- CVE-2024-36376May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions
- CVE-2024-36375May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed
- CVE-2024-36368May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 reflected XSS via OAuth provider configuration was possible
- CVE-2024-36365May 29, 2024risk 0.00cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent
Page 4 of 12