On October 18th, 2018 at mid-day we became aware of a security vulnerability in YouTrack InCloud and Standalone instances in which the guest user was banned. This security breach affected YouTrack instances starting from version 2018.1 through version 2018.3.46581 where the issue was fixed.
What information was compromised
This security issue only affected instances where the guest user was banned. In particular, for anyone with a direct link to the instance, it was possible to obtain only the following user data without being logged in:
- Full name
No other information like user emails, passwords, or sensitive data stored in issues with restricted visibility were compromised. We have no indication that your data was accessed by unauthorized actors.
What actions we’ve taken
We fixed the issue, upgraded all YouTrack InCloud instances and released a Standalone build within 12 hours after receiving the report. We are also putting preventative mechanisms in place for early stages of product development to avoid that this type of error happens again.
What actions you should take
If you use YouTrack InCloud, we have already applied the fix to your YouTrack InCloud instance, so no further action is required from your part. If the guest user is banned in your YouTrack Standalone installation, please upgrade to the latest build from our website. Even if your installation allows anonymous access through the active guest account, we recommend that you upgrade to the latest version anyway. An administrator can ban the guest user at any time, exposing an older installation to this vulnerability.
We sincerely apologize for what has happened and please rest assured that we are taking steps to avoid the same thing from occurring again in the future.
If you need any further assistance, please contact our Support Engineers.