CVE-2021-43188 – This vulnerability in JetBrains YouTrack Mobile... (How to Fix)

Q: What is the severity of CVE-2021-43188?

CVE-2021-43188 has a CVSS score of 7.3 (HIGH). This vulnerability in JetBrains YouTrack Mobile for iOS allows attackers to bypass access token protection, potentially gaining unauthorized access to user accounts. It affects iOS users of YouTrack Mobile versions before 2021.2.

📋 TL;DR

This vulnerability in JetBrains YouTrack Mobile for iOS allows attackers to bypass access token protection, potentially gaining unauthorized access to user accounts. It affects iOS users of YouTrack Mobile versions before 2021.2.

💻 Affected Systems

Products:

JetBrains YouTrack Mobile

Versions: All versions before 2021.2

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects iOS version of YouTrack Mobile; Android version is not affected.

📦 What is this software?

Youtrack Mobile by Jetbrains

View all CVEs affecting Youtrack Mobile →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal access tokens and gain full control over YouTrack accounts, accessing sensitive project data, manipulating issues, or performing unauthorized actions.

🟠

Likely Case

Attackers with physical access to the device or malware could extract access tokens to impersonate users and access their YouTrack data.

🟢

If Mitigated

With proper mobile device management and security controls, the risk is limited to devices already compromised by malware or physical attackers.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the iOS device filesystem, either through physical access or malware.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021.2 or later

Vendor Advisory: https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/

Restart Required: Yes

Instructions:

1. Open the App Store on your iOS device. 2. Search for 'YouTrack Mobile'. 3. If an update is available, tap 'Update'. 4. Alternatively, uninstall and reinstall the app to get the latest version.

🔧 Temporary Workarounds

Disable YouTrack Mobile on iOS

ios

Remove the vulnerable app from iOS devices until patched.

Long-press the YouTrack Mobile app icon, then tap 'Remove App'

🧯 If You Can't Patch

Implement mobile device management (MDM) to restrict app installations and enforce security policies.
Use conditional access policies to require additional authentication for YouTrack access from mobile devices.

🔍 How to Verify

Check if Vulnerable:

Check the YouTrack Mobile app version in iOS Settings > General > iPhone Storage > YouTrack Mobile.

Check Version:

Not applicable for iOS apps; check via Settings as described.

Verify Fix Applied:

Verify the app version is 2021.2 or higher in iOS Settings.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns from iOS devices
Multiple failed login attempts followed by successful access from new locations

Network Indicators:

YouTrack API requests with stolen tokens from unexpected IP addresses

SIEM Query:

source="youtrack" AND (device_type="ios" OR user_agent CONTAINS "iOS") AND action="authentication" AND result="success" AND version<"2021.2"

📊 Metadata

CVE ID: CVE-2021-43188

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Published: November 9, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/ Vendor Advisory
https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON