Intellij Idea
Monthly
Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.
XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted `.form` file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.
In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start. Rated medium severity (CVSS 6.5). No vendor patch available.
In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.
XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted `.form` file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.
In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start. Rated medium severity (CVSS 6.5). No vendor patch available.
In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.