Update fixes security issues for all tools based on IntelliJ platform
Hi, Habr!
Please note that we have just released an update of all our IDEs based on the IntelliJ platform (both the recently released 2016.1 version and the old ones). The reason is a found vulnerability in the platform itself. Updates and patches are already available.
We are not aware of any cases of use of the problems found, but we strongly recommend that all our users update the affected IDE as soon as possible .
')
Below is a description of the problem and a short instruction on what to do next.
The web server built into the IDE could be attacked using a cross-site request forgery ( cross-site request forgery flaw ). As a result, attackers could gain access to the user's local file system without his knowledge using the site created by the attacker.
The insufficiently limited policy of CORS ( Cross-origin resource sharing ) allowed an attacker to gain access to internal API calls, data stored by the IDE, as well as various information about the IDE itself (such as its version), in addition to this, it was possible to open projects.
To install the update, run 'Check for Updates' or download the latest version of the product you need from www.jetbrains.com .
If you are using one of the old versions, go to one of the pages with the old versions from the list below:
Please note that the problem did not affect our other products that are not based on the IntelliJ platform, namely: ReSharper, ReSharper C ++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub.
Slightly more details can be found in a post in our English-language blog. And, of course, we are happy to answer any of your questions in the comments.
Thank you for understanding!
Your Team JetBrains
Please note that we have just released an update of all our IDEs based on the IntelliJ platform (both the recently released 2016.1 version and the old ones). The reason is a found vulnerability in the platform itself. Updates and patches are already available.
We are not aware of any cases of use of the problems found, but we strongly recommend that all our users update the affected IDE as soon as possible .
')
Below is a description of the problem and a short instruction on what to do next.
Embedded Web Server Vulnerability
The web server built into the IDE could be attacked using a cross-site request forgery ( cross-site request forgery flaw ). As a result, attackers could gain access to the user's local file system without his knowledge using the site created by the attacker.
Internal RPC Calling Vulnerability
The insufficiently limited policy of CORS ( Cross-origin resource sharing ) allowed an attacker to gain access to internal API calls, data stored by the IDE, as well as various information about the IDE itself (such as its version), in addition to this, it was possible to open projects.
What to do?
To install the update, run 'Check for Updates' or download the latest version of the product you need from www.jetbrains.com .
If you are using one of the old versions, go to one of the pages with the old versions from the list below:
- Appcode
- CLion
- DataGrip - please download the latest version from the product site.
- IntelliJ IDEA
- MPS
- Phpstorm
- PyCharm
- PyCharm Edu - please download the latest version from the product site.
- Rider - a few days ago you should have received an email with a link to download the update.
- Rubymine
- Webstorm
Please note that the problem did not affect our other products that are not based on the IntelliJ platform, namely: ReSharper, ReSharper C ++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub.
Slightly more details can be found in a post in our English-language blog. And, of course, we are happy to answer any of your questions in the comments.
Thank you for understanding!
Your Team JetBrains
Source: https://habr.com/ru/post/283360/
All Articles