CVE-2025-47850: CWE-306 in JetBrains YouTrack
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
AI Analysis
Technical Summary
CVE-2025-47850 is a medium-severity vulnerability identified in JetBrains YouTrack, a popular issue tracking and project management tool widely used in software development and IT teams. The vulnerability is classified under CWE-306, which refers to 'Missing Authentication for Critical Function.' Specifically, this flaw allows restricted attachments—files that should only be visible to authorized users—to become visible after an issue cloning operation. In other words, when a user clones an issue within YouTrack, attachments that were originally access-restricted may inadvertently be exposed to users who should not have permission to view them. This issue affects versions of YouTrack prior to 2025.1.74704. The CVSS v3.1 base score is 4.3 (medium), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), requires privileges (PR:L), does not require user interaction (UI:N), and impacts confidentiality only (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild. The vulnerability arises due to insufficient enforcement of access control checks during the cloning process, leading to unauthorized disclosure of sensitive attachments. This can result in leakage of confidential information such as proprietary documents, internal reports, or personally identifiable information embedded in attachments.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on YouTrack for managing sensitive projects, including software development, compliance tracking, or internal audits. Unauthorized exposure of restricted attachments could lead to data breaches involving intellectual property, customer data, or regulatory information. This could result in reputational damage, legal liabilities under GDPR and other data protection laws, and potential financial penalties. Since the vulnerability only affects confidentiality and does not impact integrity or availability, the primary risk is information disclosure. However, given that YouTrack is often integrated into broader development pipelines and used by cross-functional teams, the leakage of restricted attachments could facilitate further attacks or insider threats. The requirement for low privileges to exploit means that any user with limited access could potentially escalate their visibility to sensitive attachments, increasing the risk from insider threats or compromised accounts.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should promptly update JetBrains YouTrack to version 2025.1.74704 or later, where the issue has been addressed. Until patching is possible, organizations should review and tighten access control policies around issue cloning operations, restricting cloning permissions to trusted users only. Administrators should audit existing cloned issues to identify any unauthorized exposure of attachments and remove or reclassify them as necessary. Implementing strict role-based access controls (RBAC) and monitoring cloning activities through audit logs can help detect and prevent misuse. Additionally, organizations should educate users about the risks of cloning issues containing sensitive attachments and encourage verification of attachment visibility post-cloning. Network segmentation and limiting YouTrack access to internal or VPN-only users can reduce exposure. Finally, integrating Data Loss Prevention (DLP) tools to monitor attachment sharing and usage within YouTrack can provide an additional layer of protection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Ireland, Poland
CVE-2025-47850: CWE-306 in JetBrains YouTrack
Description
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
AI-Powered Analysis
Technical Analysis
CVE-2025-47850 is a medium-severity vulnerability identified in JetBrains YouTrack, a popular issue tracking and project management tool widely used in software development and IT teams. The vulnerability is classified under CWE-306, which refers to 'Missing Authentication for Critical Function.' Specifically, this flaw allows restricted attachments—files that should only be visible to authorized users—to become visible after an issue cloning operation. In other words, when a user clones an issue within YouTrack, attachments that were originally access-restricted may inadvertently be exposed to users who should not have permission to view them. This issue affects versions of YouTrack prior to 2025.1.74704. The CVSS v3.1 base score is 4.3 (medium), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), requires privileges (PR:L), does not require user interaction (UI:N), and impacts confidentiality only (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild. The vulnerability arises due to insufficient enforcement of access control checks during the cloning process, leading to unauthorized disclosure of sensitive attachments. This can result in leakage of confidential information such as proprietary documents, internal reports, or personally identifiable information embedded in attachments.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on YouTrack for managing sensitive projects, including software development, compliance tracking, or internal audits. Unauthorized exposure of restricted attachments could lead to data breaches involving intellectual property, customer data, or regulatory information. This could result in reputational damage, legal liabilities under GDPR and other data protection laws, and potential financial penalties. Since the vulnerability only affects confidentiality and does not impact integrity or availability, the primary risk is information disclosure. However, given that YouTrack is often integrated into broader development pipelines and used by cross-functional teams, the leakage of restricted attachments could facilitate further attacks or insider threats. The requirement for low privileges to exploit means that any user with limited access could potentially escalate their visibility to sensitive attachments, increasing the risk from insider threats or compromised accounts.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should promptly update JetBrains YouTrack to version 2025.1.74704 or later, where the issue has been addressed. Until patching is possible, organizations should review and tighten access control policies around issue cloning operations, restricting cloning permissions to trusted users only. Administrators should audit existing cloned issues to identify any unauthorized exposure of attachments and remove or reclassify them as necessary. Implementing strict role-based access controls (RBAC) and monitoring cloning activities through audit logs can help detect and prevent misuse. Additionally, organizations should educate users about the risks of cloning issues containing sensitive attachments and encourage verification of attachment visibility post-cloning. Network segmentation and limiting YouTrack access to internal or VPN-only users can reduce exposure. Finally, integrating Data Loss Prevention (DLP) tools to monitor attachment sharing and usage within YouTrack can provide an additional layer of protection.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- JetBrains
- Date Reserved
- 2025-05-12T13:17:05.813Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeadcb
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/11/2025, 12:49:34 PM
Last updated: 8/11/2025, 8:39:33 AM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.