fkie_nvd - fkie_cve-2019-9186

fkie_cve-2019-9186

Vulnerability from fkie_nvd

Published

2019-07-03 19:15

Modified

2024-11-21 04:51

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.

References

▶	URL	Tags
	cve@mitre.org	https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/	Vendor Advisory

Impacted products

Vendor	Product	Version
jetbrains	intellij_idea	*
jetbrains	intellij_idea	*
jetbrains	intellij_idea	*
jetbrains	intellij_idea	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6F6ABD2-387F-49D7-8C20-2E2D4D4F1313",
              "versionEndExcluding": "2018.1.8",
              "versionStartIncluding": "2018.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4A62C32-1751-42AC-85B9-43BE8E358930",
              "versionEndExcluding": "2018.2.8",
              "versionStartIncluding": "2018.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CD2EE41-43C6-4328-A767-7271D1BE7D1F",
              "versionEndExcluding": "2018.3.5",
              "versionStartIncluding": "2018.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA42965B-0D50-45AC-B28E-39016D2023CC",
              "versionEndExcluding": "2019.1",
              "versionStartIncluding": "2018.3.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7."
    },
    {
      "lang": "es",
      "value": "En varias versiones de JetBrains IntelliJ IDEA, una configuraci\u00f3n de ejecuci\u00f3n Spring Boot con la configuraci\u00f3n predeterminada permiti\u00f3 a los atacantes remotos ejecutar c\u00f3digo cuando la configuraci\u00f3n se est\u00e1 ejecutando, porque un servidor JMX escucha en todas las interfaces (en lugar de escuchar solo en la interfaz localhost). Este problema se ha solucionado en las siguientes versiones: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8 y 2017.3.7."
    }
  ],
  "id": "CVE-2019-9186",
  "lastModified": "2024-11-21T04:51:09.973",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-03T19:15:13.567",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2019-9186 (GCVE-0-2019-9186)

Vulnerability from cvelistv5

Published

2019-07-03 18:35

Modified

2024-08-04 21:38

Severity ?

CWE

Summary

References

►

URL

Tags

https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/

x_refsource_CONFIRM