Please note that if you are a YouTrack InCloud customer, or a commercial customer of YouTrack Standalone or Upsource, you should have already received an email from us in the middle of December. No further action is required if have already seen this email.
During a regular security audit on December 7th, 2018, we discovered a security vulnerability in JetBrains Hub, which provides authorization and authentication services to some of our other products including Upsource and YouTrack. This security vulnerability affected Upsource instances starting from version 2018.2.1013 through version 2018.2.1141 where the issue was fixed and YouTrack instances starting from version 2018.2.10218 through version 2018.3.47965 where the issue was fixed.
What information was compromised
This security issue affected all Hub instances and other products that rely on Hub, making it possible for users to elevate the permissions that were available to their own accounts in Upsource and YouTrack.
We don’t have any information to confirm whether access to your Upsource or YouTrack installation was compromised.
What actions we’ve taken
We fixed the issue on December 10th, 2018 and released updated versions of Upsource on December 18th, 2018 and YouTrack on December 12th, 2018. We’ve also added automated tests to check for this vulnerability whenever changes are deployed to the code base.
What actions you should take
Please upgrade to the latest build from our website if you are using YouTrack Standalone and to the latest build from our website if you are using Upsource. If you are a YouTrack InCloud customer, we have already applied the fix to your YouTrack InCloud instance.
If you need any further assistance, please contact our Support Engineers.