Important Security Notice – Vulnerability allowing permission escalation
Please note that if you are a YouTrack InCloud customer, or a commercial customer of YouTrack Standalone or Upsource, you should have already received an email from us in the middle of December. No further action is required if have already seen this email.
During a regular security audit on December 7th, 2018, we discovered a security vulnerability in JetBrains Hub, which provides authorization and authentication services to some of our other products including Upsource and YouTrack. This security vulnerability affected Upsource instances starting from version 2018.2.1013 through version 2018.2.1141 where the issue was fixed and YouTrack instances starting from version 2018.2.10218 through version 2018.3.47965 where the issue was fixed.
What information was compromised
This security issue affected all Hub instances and other products that rely on Hub, making it possible for users to elevate the permissions that were available to their own accounts in Upsource and YouTrack.
We don’t have any information to confirm whether access to your Upsource or YouTrack installation was compromised.
What actions we’ve taken
We fixed the issue on December 10th, 2018 and released updated versions of Upsource on December 18th, 2018 and YouTrack on December 12th, 2018. We’ve also added automated tests to check for this vulnerability whenever changes are deployed to the code base.
What actions you should take
Please upgrade to the latest build from our website if you are using YouTrack Standalone and to the latest build from our website if you are using Upsource. If you are a YouTrack InCloud customer, we have already applied the fix to your YouTrack InCloud instance.
If you need any further assistance, please contact our Support Engineers.
Subscribe to Blog updates
Thanks, we've got you!
Hub update regarding Log4j2 vulnerability
Update from December 21, 2021, 23:00 (GMT +0). To the best of our knowledge, the newly discovered CVE-2021-45105 does not affect YouTrack or Hub. To address another vulnerability, CVE-2021-45046, we released YouTrack 2021.4.36179 and Hub 2021.1.14108 on December 16, 2021. Please download and in…
Hub Now With Customizable User Profiles
Hub 2021.1 is starting this year off with a new customization feature, which allows users to add custom fields to user profiles. It also adds a set of authentication enhancements, like the ability to specify multiple domains that you can use to log in with Google authentication and PKCE (proof key f…
Hub Adds Organizations
You can read this blog post in other languages: Hub 2020.1 introduces Organizations, an ability to suggest community translations in-context – right from the user interface, and Swagger support. Please read ahead to learn more. (more…)…