CVE-2024-35299 – This vulnerability in JetBrains YouTrack allows... (How to Fix)

Q: What is the severity of CVE-2024-35299?

CVE-2024-35299 has a CVSS score of 5.9 (MEDIUM). This vulnerability in JetBrains YouTrack allows man-in-the-middle attacks due to improper certificate hostname validation in SMTPS protocol communication. Attackers could intercept or manipulate email communications sent through YouTrack's SMTPS functionality. Organizations using YouTrack for email notifications with SMTPS are affected.

📋 TL;DR

This vulnerability in JetBrains YouTrack allows man-in-the-middle attacks due to improper certificate hostname validation in SMTPS protocol communication. Attackers could intercept or manipulate email communications sent through YouTrack's SMTPS functionality. Organizations using YouTrack for email notifications with SMTPS are affected.

💻 Affected Systems

Products:

JetBrains YouTrack

Versions: All versions before 2024.1.29548

Operating Systems: All platforms running YouTrack

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using SMTPS protocol for email communications

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept sensitive email communications, inject malicious content, or steal credentials transmitted via email notifications from YouTrack.

🟠

Likely Case

Email communications could be intercepted or manipulated, potentially exposing sensitive information or enabling phishing attacks.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential email interception within controlled environments.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires man-in-the-middle position on network path between YouTrack and SMTP server

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1.29548 or later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup YouTrack data and configuration. 2. Download YouTrack 2024.1.29548 or later from JetBrains website. 3. Stop YouTrack service. 4. Install the updated version. 5. Start YouTrack service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable SMTPS

all

Switch to alternative email protocols or disable email notifications

Edit YouTrack configuration to use non-SMTPS email settings or disable email features

Network Segmentation

all

Isolate YouTrack from untrusted networks

Configure firewall rules to restrict YouTrack SMTP traffic to trusted paths only

🧯 If You Can't Patch

Implement strict network controls to prevent man-in-the-middle attacks on SMTP traffic
Monitor network traffic for suspicious SMTP interception attempts

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version in administration panel or via API

Check Version:

Check YouTrack web interface Administration → System → Version or use API endpoint /api/admin/version

Verify Fix Applied:

Confirm version is 2024.1.29548 or later and test SMTPS functionality

📡 Detection & Monitoring

Log Indicators:

Failed certificate validation in YouTrack logs
Unusual SMTP connection patterns

Network Indicators:

Unexpected SSL/TLS certificate mismatches in SMTP traffic
Man-in-the-middle patterns in network traffic

SIEM Query:

source="youtrack" AND ("certificate" OR "SMTPS") AND ("failed" OR "invalid" OR "mismatch")

📊 Metadata

CVE ID: CVE-2024-35299

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-295

Published: May 16, 2024

Last Updated: January 28, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory
https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35299, you might also want to check these: