Critical Security Update Released for IntelliJ-based IDEs and JetBrains GitHub Plugin

Exploitation of the vulnerability could lead to the disclosure of access tokens to third-party sites

Threat ID:: CC-4509
Threat Severity:: Medium
Published:: 11 June 2024 3:25 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Exploitation of the vulnerability could lead to the disclosure of access tokens to third-party sites

Affected platforms

The following platforms are known to be affected:

JetBrains IntelliJ Platform

Affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use.

JetBrains Plugins

The JetBrains GitHub plugin has also been updated with the fix, and previously affected versions have been removed from JetBrains Marketplace.

Threat details

Introduction

JetBrains has released a critical security advisory addressing one critical vulnerability, which if exploited, could lead to the disclosure of access tokens to 3rd party sites. Insufficiently protected credential CVE-2024-37051 vulnerability has a CVSSv3 score of 9.3 and affects all IntelliJ-based integrated development environments (IDEs) as of version 2023.1 that have the JetBrains GitHub plugin enabled and configured/in-use.

JetBrains IntellJ is an open source software (OSS) platform for building IDEs and language-aware developer tools.

Remediation advice

Affected organisations are encouraged to review the latest JetBrains blog. In addition, apply the latest version available for any used IDEs.

If the GitHub pull request functionality in the IDE is used, revoke any GitHub tokens being used by the plugin. Given that the plugin can use OAuth integration or Personal Access Token (PAT), check both and revoke as necessary:

OAuth Integration Settings: go to Applications → Authorised OAuth Apps and revoke access for the JetBrains IDE Integration application.
Personal Access Token Settings: go to the Tokens page and delete the token issued for the plugin. The default token name is IntelliJ IDEA GitHub integration plugin, but custom names may be used.

Please note that after the token has been revoked, it will be necessary to set up the plugin again as all plugin features (including Git operations) will stop working.

The below IDEs are fixed versions;

Aqua
- 2024.1.2
CLion
- 2023.1.7
- 2023.2.4
- 2023.3.5
- 2024.1.3
- 2024.2 EAP2
DataGrip
- 2024.1.4
DataSpell
- 2023.1.6
- 2023.2.7
- 2023.3.6
- 2024.1.2
GoLand
- 2023.1.6
- 2023.2.7
- 2023.3.7
- 2024.1.3
- 2024.2 EAP3
IntelliJ IDEA
- 2023.1.7
- 2023.2.7
- 2023.3.7
- 2024.1.3
- 2024.2 EAP3
MPS
- 2023.2.1
- 2023.3.1
- 2024.1 EAP2
PhpStorm
- 2023.1.6
- 2023.2.6
- 2023.3.7
- 2024.1.3
- 2024.2 EAP3
PyCharm
- 2023.1.6
- 2023.2.7
- 2023.3.6
- 2024.1.3
- 2024.2 EAP2
Rider
- 2023.1.7
- 2023.2.5
- 2023.3.6
- 2024.1.3
RubyMine
- 2023.1.7
- 2023.2.7
- 2023.3.7
- 2024.1.3
- 2024.2 EAP4
RustRover
- 2024.1.1
WebStorm
- 2023.1.6
- 2023.2.7
- 2023.3.7
- 2024.1.4

Definitive source of threat updates

https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/

CVE Vulnerabilities

Status Published

CVE-2024-37051

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Last edited: 11 June 2024 3:25 pm