In early 2022, a critical vulnerability (CVE-2022-24442) was discovered in JetBrains YouTrack — a popular issue tracker used by software teams globally. The bug involved Server-Side Template Injection (SSTI) in FreeMarker templates, and it allowed attackers to run arbitrary code on the server. In this post, we’ll break down what happened, how the exploit works, and why it's important for you to patch your YouTrack server as soon as possible.
What is JetBrains YouTrack?
YouTrack is a tool made by JetBrains to help teams track bugs, features, and support tasks in their development process. It’s widely used because of its flexibility and powerful customizations. To support all these features, YouTrack uses FreeMarker templates to render some of its dynamic content.
About FreeMarker & Server-Side Template Injection
FreeMarker is a popular Java-based template engine. It binds data to templates to produce rich HTML. But like many template engines, if data from users is not filtered properly, attackers can sneak code into the templates — that's SSTI.
Server-Side Template Injection (SSTI) means attackers can insert malicious template syntax in an input field, and the server will actually run it, not just display it.
The Root of CVE-2022-24442
In versions of JetBrains YouTrack before 2021.4.40426, certain user inputs weren't properly sanitized when rendered by FreeMarker templates. That means, anywhere a user could supply input (for example, in custom fields, filters, or even in ticket summaries or comments), they could try to inject FreeMarker commands. If successful, this let them execute arbitrary code — potentially leading to a full server compromise.
How Could it Be Exploited?
This vulnerability could be triggered by supplying malicious FreeMarker expressions in user-controlled fields. Here’s a simplified flow:
1. An attacker submits a specially crafted string containing FreeMarker code in a field (e.g., issue summary, comment, or custom attribute).
YouTrack stores this input.
3. Later, when an admin views or processes this data, the server renders it through a FreeMarker template.
Suppose the “issue summary” is vulnerable. An attacker submits this as an issue summary
${"freemarker.runtime.ComplexityUtils"?new()}
But advanced FreeMarker payloads can even execute Java code! For example, this snippet tries to execute the id command on the underlying system (on Linux):
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id") }
If successful, this would return the system’s user information right there in the rendered response. With further chaining, arbitrary code execution becomes possible — for example, adding new admin users, leaking credentials, or pivoting to other systems.
Responsible Disclosure and Fix
JetBrains responded quickly when informed. The vulnerability was fixed in version 2021.4.40426, released in February 2022.
- JetBrains Security Advisory (YSA-2022-02)
- NVD CVE Entry
If you’re running YouTrack on-premise, upgrade to at least 2021.4.40426 now.
References and More Reading
- Original CVE entry
- NVD Details
- JetBrains YouTrack Security Update
- FreeMarker Documentation: Template Language
- SSTI Explained by PortSwigger
Final Thoughts
CVE-2022-24442 is a classic example of why input validation and secure template handling are so important, especially in admin-facing applications. SSTI vulnerabilities don’t just leak data; they often result in full server compromise. If you run JetBrains YouTrack on your own infrastructure, make fixing this a priority.
Timeline
Published on: 02/25/2022 20:15:00 UTC
Last modified on: 03/04/2022 02:56:00 UTC