Login Sign Up

CVE-2021-25769

7.5 HIGH

📋 TL;DR

This vulnerability in JetBrains YouTrack prevents administrators from accessing attachments stored in the system. It affects YouTrack administrators who need to review or manage user-uploaded files. The issue existed in versions before 2020.4.6808.

💻 Affected Systems

Products:
  • JetBrains YouTrack
Versions: All versions before 2020.4.6808
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects YouTrack administrators; regular users can still access their own attachments normally.

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrators cannot access critical evidence or documentation needed for investigations, compliance audits, or user support cases, potentially leading to regulatory violations or unresolved security incidents.

🟠

Likely Case

Administrators experience workflow disruption when trying to access user-submitted attachments for troubleshooting, moderation, or administrative review.

🟢

If Mitigated

Administrators use alternative methods to access attachment content or rely on users to resubmit files through other channels.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

This is an availability issue rather than a traditional security exploit; administrators simply cannot access attachments through the normal interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.4.6808 and later

Vendor Advisory: https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020/

Restart Required: Yes

Instructions:

1. Backup your YouTrack instance and database. 2. Download YouTrack 2020.4.6808 or later from the JetBrains website. 3. Follow the YouTrack upgrade documentation for your deployment method (Docker, standalone, etc.). 4. Restart the YouTrack service after upgrade.

🔧 Temporary Workarounds

Direct database access for attachments

all

Access attachments directly from the YouTrack database or file storage if configured for external storage

User-assisted access

all

Have users download and resend attachments through alternative channels when administrative review is needed

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for direct database/file system access to attachments
  • Establish alternative procedures for evidence collection and compliance documentation that don't rely on YouTrack attachment access

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version in Administration → Global Settings → About. If version is below 2020.4.6808, the system is vulnerable.

Check Version:

Check the About page in YouTrack web interface or examine the YouTrack server logs for version information

Verify Fix Applied:

After upgrading to 2020.4.6808 or later, verify administrators can successfully access attachments through the YouTrack interface.

📡 Detection & Monitoring

Log Indicators:

  • Administrator login attempts followed by attachment access failures in YouTrack logs
  • Error messages related to attachment access permissions in server logs

Network Indicators:

  • Increased administrator requests to attachment endpoints with subsequent error responses

SIEM Query:

source="youtrack" AND ("attachment" AND ("access denied" OR "permission" OR "not found")) AND user_role="admin"

📊 Metadata

CVE ID: CVE-2021-25769
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: February 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON