CVE-2021-43185
📋 TL;DR
CVE-2021-43185 is a Host header injection vulnerability in JetBrains YouTrack that allows attackers to manipulate HTTP Host headers to perform web cache poisoning, redirect users to malicious sites, or bypass authentication. This affects all YouTrack instances running versions before 2021.3.23639.
💻 Affected Systems
- JetBrains YouTrack
📦 What is this software?
Youtrack by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect all users to malicious phishing sites, steal session cookies, bypass authentication mechanisms, or poison web caches to serve malicious content.
Likely Case
Web cache poisoning leading to users being redirected to attacker-controlled domains, potentially enabling credential theft or malware distribution.
If Mitigated
With proper network segmentation and web application firewalls, impact is limited to potential cache poisoning within the application's own domain.
🎯 Exploit Status
Host header injection is a well-known attack vector with simple exploitation techniques. The vulnerability requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.3.23639 and later
Vendor Advisory: https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/
Restart Required: Yes
Instructions:
1. Download YouTrack version 2021.3.23639 or later from JetBrains website. 2. Backup your current YouTrack installation. 3. Stop the YouTrack service. 4. Install the updated version. 5. Start the YouTrack service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Configure Reverse Proxy Host Validation
allConfigure your reverse proxy (nginx, Apache, etc.) to validate and sanitize Host headers before forwarding to YouTrack.
# For nginx: add 'proxy_set_header Host $http_host;' with validation
# For Apache: use mod_headers to validate Host header
Web Application Firewall Rules
allImplement WAF rules to block malicious Host header patterns and validate legitimate domains.
# Example ModSecurity rule: SecRule REQUEST_HEADERS:Host "!@rx ^(yourdomain\.com|localhost)$" "id:1001,phase:1,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate YouTrack from untrusted networks
- Deploy a web application firewall with specific rules to validate and sanitize Host headers
🔍 How to Verify
Check if Vulnerable:
Check your YouTrack version via the web interface (Help → About) or via API at /api/admin/version. If version is below 2021.3.23639, you are vulnerable.Check Version:
curl -s http://youtrack-instance/api/admin/version | grep -o '"version":"[^"]*"'Verify Fix Applied:
After patching, verify version is 2021.3.23639 or higher. Test with a controlled Host header injection attempt to confirm mitigation.📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values in access logs
- Multiple requests with different Host headers from same source
- Requests with Host headers containing special characters or IP addresses
Network Indicators:
- HTTP requests with manipulated Host headers
- Unusual redirect patterns in HTTP traffic
SIEM Query:
source="youtrack" AND (http.host="*" OR http.host CONTAINS ".." OR http.host CONTAINS "@" OR http.host CONTAINS "\" OR http.host="localhost")