Last year we resolved a series of security issues in YouTrack and Hub that were not included as part of the release notes. Starting this year, we are planning to share quarterly reports about which security issues were fixed in YouTrack.
Below is a summary of some of the more important security issues resolved, including the description and the version that was affected and in which they were resolved.
|Description||Severity||Affected versions||Resolved in|
|Insufficient verification of issue linkage permission within the creation of a linked issue led to unauthorized linking of a newly created issue. JT-25321||Low||<2017.3.x||2017.3.33585|
|Entering invalid credentials with Jira integration enabled unauthorized access as a previously authorized user. JT-40364, JPS-5307||Moderate||2017.1.x||2017.1.31650|
|Mentioning a user in a comment with limited visibility triggered an email notification to the user, even though they could not access the comment. JT-41146||Moderate||2017.2.31873||2017.3.37198|
|A BEAST attack could be performed on a YouTrack InCloud setup. JT-42572||Moderate||<2017.3.34922||2017.3.34922|
|Mobile version of YouTrack allowed a visitor to access comments with visibility limited to a certain user. JT-44043, JT-44052||High||2017.2.33766||2017.4.37623|
|Issue content could be accessed by a disabled guest user. JT-44255, JT-45284||Critical||2017.3.37328||2017.4.39083|
|Hub authorization module was vulnerable to content spoofing. JPS-5878||Note||<2017.2.5942||2017.2.5942|
|Hub was vulnerable to a clickjacking attack. JPS-7209||High||<2017.4.8040||2017.4.8040|
The latest versions of YouTrack with fixes for the different issues are available on our website. If you’re using YouTrack InCloud, please note that no action is required on your part.
If you need any further assistance, please contact our Support Engineers.
Your YouTrack Team
The Drive to Develop