Security update for IntelliJ-based IDEs v2016.1 and older versions
We have just released an important update for all IntelliJ-based IDEs. This update addresses critical security vulnerabilities inside the underlying IntelliJ Platform. The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.
While we have had no reports of any active attacks against these vulnerabilities, we strongly recommend for all users to install the update as soon as possible.
Please read more on the issues and ways to update below.
Built-in web server vulnerabilities
The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
Internal RPC vulnerabilities
Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.
Our huge thanks go to Jordan Milne for disclosing these issues and working closely with us and to Android Studio team from Google for perfect collaboration while working on the fixes.
What to do
To install the update simply select ‘Check for Updates’ from inside the IDE or visit www.jetbrains.com to download the most recent version. If you are using a version prior to 2016.1.x, read below for download links.
For more details about the security update and in case of additional questions, refer to the FAQ below.
Q: What products / versions are updated?
A: All JetBrains products built on IntelliJ Platform are affected. The table below shows the minimum versions for which an update is released. If you are using the listed version or a higher one, then you need to update.
|Product||Updates Available as of Version (build number)|
|IntelliJ IDEA||12.1 (129.161)|
|PyCharm Edu||1.0 (139.280)|
|Rider||Private EAP builds prior to build 144.5342|
Q: Are earlier versions affected?
A: We are not aware of similar vulnerabilities in older versions. Built-in web server was introduced in December 2012 (branch 129.x), and the above-mentioned and fixed internal RPC vulnerabilities did not exist in older versions. Still, a possibility of vulnerabilities in older versions exists, which is why we recommend upgrading your IDE if it was released more than 3 years ago.
Q: What products are NOT affected?
A: ReSharper, ReSharper C++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub are not affected and do not need this security update.
Q: I need a full download rather than a patch for an earlier version of the IDE. Where can I download it?
A: Check the previous versions page for your product below. All versions published there contain the security update or are not affected by these two specific vulnerabilities.
- DataGrip — please get the latest version from product website
- IntelliJ IDEA
- PyCharm Edu — please get the latest version from product website
- Rider — you should receive an email with a fresh download link
Q: I’m unable to update to the latest version. Where can I get help?
A: Please contact us about the problems that prevent you from updating.
Q: I’m building an IDE on IntelliJ Platform. What should I do?
A: Make sure to merge the latest changes from the corresponding branch of intellij-community: the “129”, “131”, .. “145” branches for the “129.“, “131.“, … “145.” builds correspondingly and “master” for the “146.” or “162.*” builds.) For details please contact firstname.lastname@example.org or the partner team at email@example.com for any questions or concerns.
Q: I’m using an IDE built on IntelliJ Platform but not from JetBrains. What should I do?
A: We have been in contact with our partners building on IntelliJ Platform. Updates for Android Studio 1.5.x and 2.x should be available already. Please contact the vendor of the IDE for an update. If you have other questions, please contact us.
Q: I’m developing a plugin for IDEs built on IntelliJ Platform. Does my plugin need update?
A: No, plugins are not affected.
Q: I’d like to be notified about security vulnerabilities in future.
A: You can subscribe to the security bulletin at www.jetbrains.com/security/subscribe.
UPDATE: If you’re running on OS X and the IDE doesn’t start after installing the update, please refer to https://intellij-support.jetbrains.com/hc/en-us/articles/208516145 for workarounds
The Drive to Develop
Subscribe to Blog updates
Thanks, we've got you!
Planned Downtime June 12, 2021: JetBrains Account and JetBrains Stores
Dear customers, On June 12, 2021, at 09:00 GMT, some of the JetBrains online services will be undergoing routine maintenance for 3 hours. During this time the following services will NOT be available: JetBrains Account.Resellers Store.The buy pages for all JetBrains products.Authorization in H…
JetBrains Security Bulletin Q2 2020
In the second quarter of 2020, we resolved a number of security issues in our products. Here's a summary report that contains a description of each issue and the version in which it was resolved.
Toolbox App 1.17 is Out: Quality Improvements Arrive with a New Build Completely Rewritten in Kotlin
TL;DR Focusing on the quality of the Toolbox App, we have completely rewritten it in Kotlin. We’ve introduced a new Settings page, updated system requirements, and fixed dozens of bugs. In this update, we’ve focused on bug fixes and on the overall quality of the Toolbox App. The story The Toolbox…
JetBrains Toolbox 2020.1 is Available: Update Your Tools
The time has come to update your tools and start using their new features. All the JetBrains IDEs are now polished and new, ready for you to create something great. Take a look at this short summary of what you can find in the new versions of the JetBrains IDEs. We would also like to remind you tha…