Security News > 2024 > June > Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)

Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)
2024-06-11 12:33

JetBrains has fixed a critical vulnerability that could expose users of its integrated development environments to GitHub access token compromise.

CVE-2024-37051 is a vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform, and affects all IntelliJ-based IDEs as of 2023.1 onwards that have it enabled and configured/in-use.

"On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host," JetBrains security support team lead Ilya Pleskunin explains.

"The JetBrains GitHub plugin has also been updated with the fix, and previously affected versions have been removed from JetBrains Marketplace," Pleskunin added.

They've also pointed out that GitHub tokens typically act as authentication credentials, allowing access to GitHub resources without requiring further authentication steps.

"If you have actively used the GitHub pull request functionality in the IDE, we strongly advise that you revoke any GitHub tokens the plugin is using. Please note that after the token has been revoked, you will need to set up the plugin again, as all plugin features will stop working."


News URL

https://www.helpnetsecurity.com/2024/06/11/cve-2024-37051/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-06-10 CVE-2024-37051 Insufficiently Protected Credentials vulnerability in Jetbrains products
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
network
low complexity
jetbrains CWE-522
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Jetbrains 32 28 275 59 16 378
Github 12 3 43 30 16 92