Important Security Notice – Vulnerability allowing permission escalation

Please note that if you a commercial customer of Upsource, you should have already received an email from us in the middle of December. No further action is required if have already seen this email.

What happened

During a regular security audit on December 7th, 2018, we discovered a security vulnerability in JetBrains Hub, which provides authorization and authentication services to some of our other products including Upsource and YouTrack. This security vulnerability affected Upsource instances starting from version 2018.2.1013 through version 2018.2.1141 where the issue was fixed.

What information was compromised

This security issue affected all Hub instances and other products that rely on Hub, making it possible for users to elevate the permissions that were available to their own accounts in Upsource and YouTrack.

We don’t have any information to confirm whether access to your Upsource or YouTrack installation was compromised.

What actions we’ve taken

We fixed the issue on December 10th, 2018 and released updated versions of Upsource on December 18th, 2018. We’ve also added automated tests to check for this vulnerability whenever changes are deployed to the code base.

What actions you should take

Please upgrade to the latest build from our website.

While it is possible for you to determine whether your data was compromised, due to the nature of the vulnerability, disclosing how this would be done could affect other Upsource installations.

If you need any further assistance, please contact our Support Engineers.