JetBrains fixed IntelliJ IDE flaw exposing GitHub access tokens

Pierluigi Paganini June 12, 2024

JetBrains warned to fix a critical vulnerability in IntelliJ integrated development environment (IDE) apps that exposes GitHub access tokens.

JetBrains warned customers to address a critical vulnerability, tracked as CVE-2024-37051, that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens.

The flaw impacts IntelliJ-based IDEs version 2023.1 and later, where the JetBrains GitHub plugin is enabled and configured/used.

“A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use.” reads the advisory published by the company. 

On the 29th of May 2024, the company received an external security report for the vulnerability potentially affecting its IDE product.

The report demonstrates that specially crafted content in a pull request to a GitHub project, when handled by IntelliJ-based IDEs, would expose access tokens to a third-party host.

JetBrains addressed the flaw with the release of IDEs version 2023.1 or later. Users are strongly recommended updating to the latest version. 

Those customers that have used GitHub pull request functionality in the IDE are strongly advised to revoke any GitHub tokens used by the plugin. For OAuth integration, revoke access for the JetBrains IDE Integration application via Applications → Authorized OAuth Apps. For Personal Access Tokens (PAT), delete the token issued for the plugin on the Tokens page, typically named “IntelliJ IDEA GitHub integration plugin,” though custom names may also be used.

Below is the list of fixed versions for IntelliJ IDEs:

  • Aqua: 2024.1.2
  • CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
  • DataGrip: 2024.1.4
  • DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
  • GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
  • PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
  • Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
  • RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
  • RustRover: 2024.1.1
  • WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

“If you have not updated to the latest version, we strongly urge you to do so,” concludes the advisory.

The company did not reveal if the vulnerability has been actively exploited in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GitHub)

you might also like

leave a comment