Vulnerabilities > CVE-2019-12866 - Authorization Bypass Through User-Controlled Key vulnerability in Jetbrains Youtrack

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

jetbrains

CWE-639

critical

NVD

Published: 2019-07-03

Updated: 2020-08-24

Summary

An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.

Vulnerable Configurations

Part	Description	Count
Application	Jetbrains Jetbrains Youtrack 2.2.1 Jetbrains Youtrack 2.19.2.65515 Jetbrains Youtrack 3.3 Jetbrains Youtrack 4.2.4 Jetbrains Youtrack 5.2.5 Jetbrains Youtrack 6.0.12124 Jetbrains Youtrack 6.0.12634 Jetbrains Youtrack 6.5.17031 Jetbrains Youtrack 6.5.17057 Jetbrains Youtrack 6.5.17105 Jetbrains Youtrack 6.5.17122 Jetbrains Youtrack 7.0.26198 Jetbrains Youtrack 7.0.26630 Jetbrains Youtrack 7.0.26754 Jetbrains Youtrack 7.0.26927 Jetbrains Youtrack 7.0.27676 Jetbrains Youtrack 7.0.27705 Jetbrains Youtrack 7.0.27777 Jetbrains Youtrack 7.0.27965 Jetbrains Youtrack 7.0.28110 Jetbrains Youtrack 7.0.28450 Jetbrains Youtrack 7.0.28958 Jetbrains Youtrack 7.0.29566 Jetbrains Youtrack 2017.1.30791 Jetbrains Youtrack 2017.1.30867 Jetbrains Youtrack 2017.1.30973 Jetbrains Youtrack 2017.1.31650 Jetbrains Youtrack 2017.2.32529 Jetbrains Youtrack 2017.2.32582 Jetbrains Youtrack 2017.2.32799 Jetbrains Youtrack 2017.2.32853 Jetbrains Youtrack 2017.2.33063 Jetbrains Youtrack 2017.2.33154 Jetbrains Youtrack 2017.2.33372 Jetbrains Youtrack 2017.2.33390 Jetbrains Youtrack 2017.2.33766 Jetbrains Youtrack 2017.2.34279 Jetbrains Youtrack 2017.2.34480 Jetbrains Youtrack 2017.2.35124 Jetbrains Youtrack 2017.3.35488 Jetbrains Youtrack 2017.3.35968 Jetbrains Youtrack 2017.3.36019 Jetbrains Youtrack 2017.3.36369 Jetbrains Youtrack 2017.3.36626 Jetbrains Youtrack 2017.3.36743 Jetbrains Youtrack 2017.3.37116 Jetbrains Youtrack 2017.3.37517 Jetbrains Youtrack 2017.4.37623 Jetbrains Youtrack 2017.4.37933 Jetbrains Youtrack 2017.4.38030 Jetbrains Youtrack 2017.4.38399 Jetbrains Youtrack 2017.4.39083 Jetbrains Youtrack 2017.4.39238 Jetbrains Youtrack 2017.4.39406 Jetbrains Youtrack 2017.4.39533 Jetbrains Youtrack 2018.1.39916 Jetbrains Youtrack 2018.1.40025 Jetbrains Youtrack 2018.1.40066 Jetbrains Youtrack 2018.1.40341 Jetbrains Youtrack 2018.1.40840 Jetbrains Youtrack 2018.1.41051 Jetbrains Youtrack 2018.1.41561 Jetbrains Youtrack 2018.1.41826 Jetbrains Youtrack 2018.2.42133 Jetbrains Youtrack 2018.2.42223 Jetbrains Youtrack 2018.2.42284 Jetbrains Youtrack 2018.2.42337 Jetbrains Youtrack 2018.2.42881 Jetbrains Youtrack 2018.2.43142 Jetbrains Youtrack 2018.2.44329 Jetbrains Youtrack 2018.2.45073 Jetbrains Youtrack 2018.2.45146 Jetbrains Youtrack 2018.2.45513 Jetbrains Youtrack 2018.3.46358 Jetbrains Youtrack 2018.3.46581 Jetbrains Youtrack 2018.3.46727 Jetbrains Youtrack 2018.3.47010 Jetbrains Youtrack 2018.3.47078 Jetbrains Youtrack 2018.3.47109 Jetbrains Youtrack 2018.3.47247 Jetbrains Youtrack 2018.3.47965 Jetbrains Youtrack 2018.3.48045 Jetbrains Youtrack 2018.4.48293 Jetbrains Youtrack 2018.4.48406 Jetbrains Youtrack 2018.4.48733	85

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/