CVE-2019-9872

03.07.2019, 19:15

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Vendor	Product	Version
jetbrains	intellij_idea	2018.1 ≤ 𝑥 < 2018.1.8
jetbrains	intellij_idea	2018.2 ≤ 𝑥 < 2018.2.8
jetbrains	intellij_idea	2018.3 ≤ 𝑥 < 2018.3.5
jetbrains	intellij_idea	2018.3.6 ≤ 𝑥 < 2019.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-312 - Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References

https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/