JetBrains warned prospects to patch a essential vulnerability that impacts customers of its IntelliJ built-in improvement atmosphere (IDE) apps and exposes GitHub entry tokens.
Tracked as CVE-2024-37051, this safety flaw impacts all IntelliJ-based IDEs from 2023.1 onwards, the place the JetBrains GitHub plugin is enabled and configured/used.
“On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE,” mentioned Ilya Pleskunin, a safety assist group lead at JetBrains.
“In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host.”
JetBrains has launched safety updates that deal with this essential vulnerability on affected IDEs model 2023.1 or later.
The corporate has additionally patched the susceptible JetBrains GitHub plugin and has since eliminated all beforehand impacted variations from its official plugin market.
The whole checklist of fastened variations for IntelliJ IDEs consists of:
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
Admins urged to patch and revoke GitHub tokens
“If you have not updated to the latest version, we strongly urge you to do so,” Pleskunin warned.
Along with engaged on a safety repair, JetBrains contacted GitHub to assist decrease the influence. Attributable to measures applied in the course of the mitigation course of, the JetBrains GitHub plugin could not perform as anticipated in older variations of JetBrains IDEs.
JetBrains additionally “strongly” suggested prospects who’ve actively used GitHub pull request performance in IntelliJ IDEs to revoke any GitHub tokens utilized by the susceptible plugin as they might present potential attackers with entry to the linked GitHub accounts even with the added safety of two-factor authentication.
Moreover, if the plugin was used with OAuth integration or Private Entry Token (PAT), they need to additionally revoke entry for the JetBrains IDE Integration app and delete the IntelliJ IDEA GitHub integration plugin token.
“Please note that after the token has been revoked, you will need to set up the plugin again as all plugin features (including Git operations) will stop working,” Pleskunin mentioned.
In February, JetBrains additionally warned of a essential authentication bypass vulnerability—with public exploit code obtainable since March—that might permit attackers to achieve admin privileges and take over susceptible TeamCity On-Premises servers.
