CVE Vulnerabilities

CVE-2019-10104

Published: Jul 03, 2019 | Modified: Jun 17, 2026
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.

Affected Software

NameVendorStart VersionEnd Version
Intellij_ideaJetbrains2018.1 (including)2018.1.8 (excluding)
Intellij_ideaJetbrains2018.2 (including)2018.2.8 (excluding)
Intellij_ideaJetbrains2018.3 (including)2018.3.4 (excluding)
Intellij_ideaJetbrains2018.3.5 (including)2018.3.7 (excluding)
Intellij-community-ideaUbuntugroovy*
Intellij-community-ideaUbuntuhirsute*
Intellij-community-ideaUbuntuimpish*
Intellij-community-ideaUbuntukinetic*
Intellij-community-ideaUbuntulunar*
Intellij-community-ideaUbuntumantic*
Intellij-community-ideaUbuntuoracular*
Intellij-community-ideaUbuntuplucky*
Intellij-community-ideaUbuntuquesting*
Intellij-community-ideaUbuntutrusty*
Intellij-ideaUbuntutrusty*

References