CVE-2025-24456
Published: 21 January 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24456 is a privilege escalation vulnerability in JetBrains Hub versions prior to 2024.3.55417, stemming from improper LDAP authentication mapping. Published on 2025-01-21, it has a CVSS v3.1 base score of 6.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).
An attacker with low privileges (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R). Successful exploitation enables privilege escalation, resulting in high impacts on confidentiality and integrity (C:H/I:H) with low impact on availability (A:L), all within unchanged scope (S:U).
JetBrains addressed the issue in version 2024.3.55417, as detailed in their issues-fixed advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. Security practitioners should upgrade to this version or later to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a privilege escalation vulnerability via improper LDAP authentication mapping and bypass (CWE-288/306), directly enabling the Exploitation for Privilege Escalation technique.