Skip to main content

CVE-2025-47850: CWE-306 in JetBrains YouTrack

Medium
VulnerabilityCVE-2025-47850cvecve-2025-47850cwe-306
Published: Tue May 20 2025 (05/20/2025, 17:37:43 UTC)
Source: CVE
Vendor/Project: JetBrains
Product: YouTrack

Description

In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning

AI-Powered Analysis

AILast updated: 07/11/2025, 12:49:34 UTC

Technical Analysis

CVE-2025-47850 is a medium-severity vulnerability identified in JetBrains YouTrack, a popular issue tracking and project management tool widely used in software development and IT teams. The vulnerability is classified under CWE-306, which refers to 'Missing Authentication for Critical Function.' Specifically, this flaw allows restricted attachments—files that should only be visible to authorized users—to become visible after an issue cloning operation. In other words, when a user clones an issue within YouTrack, attachments that were originally access-restricted may inadvertently be exposed to users who should not have permission to view them. This issue affects versions of YouTrack prior to 2025.1.74704. The CVSS v3.1 base score is 4.3 (medium), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), requires privileges (PR:L), does not require user interaction (UI:N), and impacts confidentiality only (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild. The vulnerability arises due to insufficient enforcement of access control checks during the cloning process, leading to unauthorized disclosure of sensitive attachments. This can result in leakage of confidential information such as proprietary documents, internal reports, or personally identifiable information embedded in attachments.

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for those relying on YouTrack for managing sensitive projects, including software development, compliance tracking, or internal audits. Unauthorized exposure of restricted attachments could lead to data breaches involving intellectual property, customer data, or regulatory information. This could result in reputational damage, legal liabilities under GDPR and other data protection laws, and potential financial penalties. Since the vulnerability only affects confidentiality and does not impact integrity or availability, the primary risk is information disclosure. However, given that YouTrack is often integrated into broader development pipelines and used by cross-functional teams, the leakage of restricted attachments could facilitate further attacks or insider threats. The requirement for low privileges to exploit means that any user with limited access could potentially escalate their visibility to sensitive attachments, increasing the risk from insider threats or compromised accounts.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should promptly update JetBrains YouTrack to version 2025.1.74704 or later, where the issue has been addressed. Until patching is possible, organizations should review and tighten access control policies around issue cloning operations, restricting cloning permissions to trusted users only. Administrators should audit existing cloned issues to identify any unauthorized exposure of attachments and remove or reclassify them as necessary. Implementing strict role-based access controls (RBAC) and monitoring cloning activities through audit logs can help detect and prevent misuse. Additionally, organizations should educate users about the risks of cloning issues containing sensitive attachments and encourage verification of attachment visibility post-cloning. Network segmentation and limiting YouTrack access to internal or VPN-only users can reduce exposure. Finally, integrating Data Loss Prevention (DLP) tools to monitor attachment sharing and usage within YouTrack can provide an additional layer of protection.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
JetBrains
Date Reserved
2025-05-12T13:17:05.813Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0f71484d88663aeadcb

Added to database: 5/20/2025, 6:59:03 PM

Last enriched: 7/11/2025, 12:49:34 PM

Last updated: 7/30/2025, 4:08:34 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats