News

Important Security Problem concerning Issue Visibility

Bug description
On Friday June 30th at 9:45 am CEST we were notified of a potential security problem in YouTrack that affects issue visibility in certain cases. Specifically, when the visibility of the issue was set by a workflow, it was possible that certain users that were not part of the group could access the issue during a search request. This issue only affected YouTrack version 2017.2.33634 and later.
We have already resolved the issue and a new download is available. All InCloud instances have been applied with the hotfix.

What actions you should take
If you are running YouTrack Standalone and have YouTrack version 2017.2.33634 or later Installed, please upgrade by downloading the latest version.

If for some reason you cannot upgrade to the latest version, there is a workaround that can be performed:
1. Locate all the workflows that set groups.
2. Find any line that sets the group in the following way:

`issue.permittedGroup = someGroup`

3. Replace the line with:

`issue.applyCommand(“visible to “ + someGroup.name)`

where someGroup is the name of your group.

4. Fix any existing issues by applying the command:

`visible to someGroup`
to them (you can do this by selecting them and doing a batch update).

If you need any further assistance, please contact our Support Engineers or simply respond to this email.

We sincerely apologise for the incident and rest assured we’re already putting in additional steps to prevent this in the future.