Multiple vulnerabilities in JetBrains YouTrack
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-37553 CVE-2021-37551 CVE-2021-37550 |
| CWE-ID | CWE-338 CWE-326 CWE-367 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
YouTrack Web applications / CMS |
| Vendor | JetBrains s.r.o. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
EUVDB-ID: #VU55612
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37553
CWE-ID:
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insecure PRNG usage. A remote attacker can gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsYouTrack: 2020.1.659 - 2021.1.15276
CPE2.3- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.659:*:*:*:*:*:*:*
- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.1331:*:*:*:*:*:*:*
- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.1826:*:*:*:*:*:*:*
https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inadequate Encryption Strength
EUVDB-ID: #VU55611
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37551
CWE-ID:
CWE-326 - Inadequate Encryption Strength
Exploit availability: No
DescriptionThe vulnerability allows an attacker to restore passwords from hash.
The vulnerability exists due to software uses SHA-256 algorithm for password hashing. An attacker with access to password hashes can recover password from hash.
Install updates from vendor's website.
Vulnerable software versionsYouTrack: 2020.1.659 - 2021.1.15276
CPE2.3- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.659:*:*:*:*:*:*:*
- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.1331:*:*:*:*:*:*:*
- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.1826:*:*:*:*:*:*:*
https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU55610
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37550
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a race condition. A remote attacker can bypass implemented security measures.
Install updates from vendor's website.
Vulnerable software versionsYouTrack: 2020.1.659 - 2021.1.15276
CPE2.3- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.659:*:*:*:*:*:*:*
- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.1331:*:*:*:*:*:*:*
- cpe:2.3:a:jetbrains_s.r.o.:youtrack:2020.1.1826:*:*:*:*:*:*:*
https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
