CVE-2025-24458

High

Published: 21 January 2025

Published

21 January 2025

Modified

30 January 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0001 0.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

Security Summary

CVE-2025-24458 affects JetBrains YouTrack in versions before 2024.3.55417, where account takeover is possible via spoofed email and Helpdesk integration. Published on 2025-01-21, the vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-290.

The attack requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). An unauthenticated attacker can spoof an email through the Helpdesk integration to achieve account takeover, resulting in high impacts to confidentiality and integrity but no availability disruption.

JetBrains has fixed the issue in YouTrack 2024.3.55417. For mitigation details, refer to the advisory at https://www.jetbrains.com/privacy-security/issues-fixed/.

Details

CWE(s): CWE-290

Affected Products

jetbrains

youtrack

≤ 2024.3.55417

MITRE ATT&CK Enterprise Techniques

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables account takeover via spoofed email in the Helpdesk integration, which facilitates gaining and using valid accounts as described in T1078.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.jetbrains.com/privacy-security/issues-fixed/
Vendor Advisory · cve@jetbrains.com