Important Security Notice – Vulnerability allowing permission escalation

Please note that if you are a YouTrack InCloud customer, or a commercial customer of YouTrack Standalone, you should have already received an email from us in the middle of December. No further action is required if have already seen this email.

What happened

During a regular security audit on December 7th, 2018, we discovered a security vulnerability in JetBrains Hub, which provides authorization and authentication services to some of our other products including Upsource and YouTrack. This security vulnerability affected YouTrack instances starting from version 2018.2.10218 through version 2018.3.47965 where the issue was fixed.

What information was compromised

This security issue affected all Hub instances and other products that rely on Hub, making it possible for users to elevate the permissions that were available to their own accounts in Upsource and YouTrack.

We don’t have any information to confirm whether access to your Upsource or YouTrack installation was compromised.

What actions we’ve taken

We fixed the issue on December 10th, 2018 and released updated versions of Upsource on December 18th, 2018 and YouTrack on December 12th, 2018. We’ve also added automated tests to check for this vulnerability whenever changes are deployed to the code base.

What actions you should take

Please upgrade to the latest build from our website if you are using YouTrack Standalone. If you are a YouTrack InCloud customer, we have already applied the fix to your YouTrack InCloud instance.

While it is possible for you to determine whether your data was compromised, due to the nature of the vulnerability, disclosing how this would be done could affect other YouTrack installations.

If you need any further assistance, please contact our Support Engineers.

About Natasha Katson

Natasha Katson is a Team Tools Product Marketing Manager at JetBrains.
This entry was posted in uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *