YouTrack Security Update

Anastasia Bartasheva

This announcement is about a security vulnerability that we recently found and fixed in YouTrack. Please note that if you are a commercial customer using YouTrack Standalone, your Administrator should have received an email from us in late August, and had time to upgrade your YouTrack installation to a fixed version before this public announcement. No further action is required if you have already received and acted upon that email. If you are a YouTrack InCloud customer, please rest assured that we have already taken all necessary steps to secure your installation.

What happened

On August 13, 2020, we fixed a security vulnerability in YouTrack. The vulnerability allowed logged in or guest users to retrieve issue descriptions without having the required access permissions via an undocumented REST API endpoint. This security vulnerability affected YouTrack instances from version 3.3 (released on March 2, 2012) up to version 2020.3.4313 (released on August 13, 2020), when the issue was fixed.
The vulnerability was found in one of the oldest endpoints of our deprecated REST API. The issue had unfortunately survived both external security audits and YouTrack source code audits. We can confirm that this endpoint has never appeared in any public materials, including our product documentation.
A corresponding CVE is published here.

What information was compromised?

This security issue could have affected YouTrack instances where one of the following was true:

  • Guest access was enabled.
  • An attacker was logged in.

In these cases, it was possible for the attacker to retrieve descriptions of issues without having system permissions to access them using the undocumented YouTrack REST API endpoint.

Unfortunately, we don’t have any information to confirm whether access to a particular YouTrack instance was compromised. However, if you have guest access disabled on your instance, or your standalone YouTrack is not available from the internet, please rest assured that no third parties were able to access your data using the vulnerability.

What actions we’ve taken

  1. We fixed the issue on August 13, 2020, and backported the fix to all major versions starting from YouTrack 2019.1, so that any YouTrack Standalone can be updated to a version with the fix. On the very same day, we updated all InCloud instances to the version with the fix.
  2. We have sent a call-to-action email to all YouTrack standalone administrators to ask them to upgrade. No details about the problem were disclosed at that point to give administrators time to secure their YouTrack data.
  3. We have added automated tests to check for this vulnerability whenever changes are deployed to the codebase.

Is any action required from you?

YouTrack Standalone. If you are an Administrator of YouTrack Standalone and you didn’t receive the email notification, please use the latest bug-fix versions for each YouTrack version starting from 2019.1, available on our site, to upgrade your YouTrack.

YouTrack InCloud was upgraded to a fixed version in August. You do not need to do anything.

If you need any further assistance, please contact our Support Engineers or simply leave a comment below.
Please accept our sincere apologies for this situation.

Your JetBrains YouTrack team

Subscribe

Subscribe for updates