Critical vulnerability related to Jetbrains Toolbox

Answered

There isn't a dedicated forum for Jetbrains Toolbox, so I'll post it here, as many IDEA users download it via Toolbox. The softwares uses a 7z.exe that is old and vulnerable to arbitrary code execution (CVE-2016-2334). The file is located at C:\Users\<user>\AppData\Local\JetBrains\Toolbox\bin\7z.exe. The fix is very simple and I urge Jetbrains developers to do it: update the 7z bundled with Toolbox to the latest version, as this vulnerability only affects 7-Zip before version 16.00.

0
2 comments
Official comment

Juan, thanks for the report! I've updated 7-zip distribution used by Toolbox to the latest version.

However, this vulnerability does not affect Toolbox App, because it download files only from https://download.jetbrains.com, verifies checksums of all packages, and file listings used by Toolbox App are digitally signed by JetBrains.

Thanks for the report. In the future please report Toolbox App issues directly at https://youtrack.jetbrains.com/issues/ALL.

0

Please sign in to leave a comment.