Inadequate Encryption Strength in YouTrack

#VU55611 Inadequate Encryption Strength in YouTrack

Published: 2021-08-05

Vulnerability identifier: #VU55611

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37551

CWE-ID: CWE-326

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
YouTrack
Web applications / CMS

Vendor: JetBrains s.r.o.

Description

The vulnerability allows an attacker to restore passwords from hash.

The vulnerability exists due to software uses SHA-256 algorithm for password hashing. An attacker with access to password hashes can recover password from hash.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

YouTrack: 2020.1.659 - 2021.1.15276

External links
http://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in JetBrains YouTrack