CVE-2024-47162 - How a JetBrains YouTrack Token Leak Could Compromise Your Project

If you’re using JetBrains YouTrack (especially before version 2024.3.44799), there’s a critical vulnerability you should know about: CVE-2024-47162. This flaw could let an attacker uncover secret tokens right from the Imports page, putting your integrations—and your whole project—at risk.

This post gives you a clear breakdown of what happened, why it matters, and how it can be exploited. I’ll show you exactly what went wrong, some code examples, and where to find the original details.

What is JetBrains YouTrack?

JetBrains YouTrack is a popular issue tracker and project management platform used by thousands of software teams. It often connects with external tools using API tokens—these secret strings let YouTrack import and export data with other systems like Jira, GitHub, and more.

What’s the Problem? (CVE-2024-47162)

> 🚨 TL;DR: Before version 2024.3.44799, YouTrack accidentally made sensitive token values visible on the Imports page, exposing them to anyone who could visit that page.

How Did This Happen?

By design, secrets like tokens should never show up in the web interface once saved—they’re usually replaced with • or something similar. Due to a bug, YouTrack actually leaked the actual token in the web UI under certain conditions on the Imports page.

1. Find an Account with Imports Access

Anyone with permission to view or configure Imports in YouTrack could trigger this.

2. View the Imports Page

Go to:

https://<youryoutrackdomain>/admin/imports

Look for any existing integrations—like Jira, GitHub, or other systems.

3. Inspect the Page

On vulnerable versions, you’d see the actual token string instead of a masked value.

In the HTML

<input type="text" value="secret_token_goes_here" id="token-input" />

Or in a network request/response when loading the page

{
  "token": "secret_token_goes_here"
}

4. Steal & Reuse the Token

Once you have the token, you could use it to talk to the connected service with the same rights as the legitimate project, for importing/exporting, creating issues, modifying data, etc.

Suppose it’s a GitHub personal access token

curl -H "Authorization: token secret_token_goes_here" https://api.github.com/user

Everyone running a version before 2024.3.44799

If you ever set up Imports—and someone untrusted had access to the Admin area—you may have been exposed.

Upgrade to YouTrack 2024.3.44799 or later

Download here

Original References

- JetBrains YouTrack Security Advisory
- MITRE CVE-2024-47162 Summary
- YouTrack 2024.3.44799 Release Notes

Final Thoughts

Even mature tools like YouTrack can have surprising leaks—a token in the wrong hands means total compromise of your integrations. Always keep your systems up to date and follow the principle of least privilege when managing admin settings!

If you’re affected, patch fast—and don’t forget to replace any tokens visible on your Imports page!

Timeline

Published on: 09/19/2024 18:15:10 UTC
Last modified on: 09/24/2024 17:57:43 UTC