May 11, 2016 at 18:05Security update for all IntelliJ platform-based tools
Hello, Habr!
Please note that we have just released an update on all our IDEs based on the IntelliJ platform (both the recently released 2016.1 version and the old ones). The reason is the vulnerability found in the platform itself. Updates and patches are already available.
We are not aware of any cases of using the problems found, but we strongly recommend that all our users update the affected IDEs as soon as possible .
Read the description of the problem and a short instruction below on what to do next.
The web server built into the IDE could be attacked using a cross-site request forgery flaw . As a result, attackers could gain access to the user's local file system without his knowledge using the site created by the attacker.
The insufficiently limited CORS ( Cross-origin resource sharing ) policy allowed the attacker to gain access to internal API calls, data stored by the IDE, as well as various information about the IDE itself (such as its version), in addition to opening projects.
To install the update, run 'Check for Updates' or download the latest version of the product you need from www.jetbrains.com .
If you are using one of the older versions, go to one of the pages with older versions from the list below:
Please note that the problem did not affect our other products that are not based on the IntelliJ platform, namely: ReSharper, ReSharper C ++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub.
A little more details can be found in a post on our English-language blog. And, of course, we are happy to answer any of your questions in the comments.
Thank you for understanding!
Your JetBrains Team
Please note that we have just released an update on all our IDEs based on the IntelliJ platform (both the recently released 2016.1 version and the old ones). The reason is the vulnerability found in the platform itself. Updates and patches are already available.
We are not aware of any cases of using the problems found, but we strongly recommend that all our users update the affected IDEs as soon as possible .
Read the description of the problem and a short instruction below on what to do next.
Embedded Web Server Vulnerability
The web server built into the IDE could be attacked using a cross-site request forgery flaw . As a result, attackers could gain access to the user's local file system without his knowledge using the site created by the attacker.
RPC Internal Calling Vulnerability
The insufficiently limited CORS ( Cross-origin resource sharing ) policy allowed the attacker to gain access to internal API calls, data stored by the IDE, as well as various information about the IDE itself (such as its version), in addition to opening projects.
What to do?
To install the update, run 'Check for Updates' or download the latest version of the product you need from www.jetbrains.com .
If you are using one of the older versions, go to one of the pages with older versions from the list below:
- Appcode
- Clion
- DataGrip - please download the latest version from the product website
- IntelliJ IDEA
- Mps
- Phpstorm
- Pycharm
- PyCharm Edu - please download the latest version from the product website
- Rider - a few days ago you should have received an email with a link to download the update
- Rubymine
- Webstorm
Please note that the problem did not affect our other products that are not based on the IntelliJ platform, namely: ReSharper, ReSharper C ++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub.
A little more details can be found in a post on our English-language blog. And, of course, we are happy to answer any of your questions in the comments.
Thank you for understanding!
Your JetBrains Team