Security Vulnerability Patch in YouTrack 6.5.17031

Please welcome a fresh YouTrack 6.5.17031 update. This minor release is very important, because it contains a fix for the recently discovered vulnerability to XML External Entity (XXE) attack. It affects XML-based REST API, such as user import or command intellisense API. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the YouTrack host machine. This OWASP article explains the vulnerability in details.

We strongly recommend all our stand-alone customers to upgrade to the latest YouTrack 6.5.17031 build. If you’re using the older YouTrack version, please consider settings the following java start parameters to mitigate the attack:

-Djavax.xml.accessExternalDTD=

-Djavax.xml.accessExternalSchema=

-Djavax.xml.accessExternalStylesheet=

Please note, that parameter values are intentionally left blank. Please refer to the documentation if unsure how to set them.

All the InCloud servers are already upgraded to the latest build.

For more details about the changes made in this build, please check the Release Notes.

The Drive to Develop

– YouTrack JetBrains Team

About Valerie Andrianova

Valerie Andrianova is YouTrack, Hub and Upsource Product Marketing Manager at JetBrains. Her professional interests include issue & bug tracking, project and task management, agile methodologies and team collaboration. Apart from work, she cannot imagine her life without live music, quirky books and lattes with those cute little foam hearts.
This entry was posted in release and tagged , . Bookmark the permalink.

2 Responses to Security Vulnerability Patch in YouTrack 6.5.17031

  1. iad says:

    You forgot to post the vulnerability finder. That’s impolite.

Leave a Reply

Your email address will not be published. Required fields are marked *