Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)

JetBrains has fixed a critical vulnerability (CVE-2024-37051) that could expose users of its integrated development environments (IDEs) to GitHub access token compromise.

About CVE-2024-37051

JetBrains offers IDEs for various programming languages.

CVE-2024-37051 is a vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform, and affects all IntelliJ-based IDEs as of 2023.1 onwards that have it enabled and configured/in-use.

“On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host,” JetBrains security support team lead Ilya Pleskunin explains.

Attackers could use those tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.

Fixes are available

The issue has been fixed in the following IDEs: Aqua, CLion, DataGrip, DataSpell, GoLand, IntelliJ IDEA, MPS, PhpStorm, PyCharm, Rider, RubyMine, RustRover, and WebStorm.

“The JetBrains GitHub plugin has also been updated with the fix, and previously affected versions have been removed from JetBrains Marketplace,” Pleskunin added.

He advised users to update to the latest available version of the IDE they use. Those that have used the GitHub pull request functionality should also:

• Revoke GitHub access tokens being used by the plugin
• Revoke access for the JetBrains IDE Integration application
• Delete the token issued for the plugin

Users of Google’s IntelliJ-based Android Studio, the official IDE for the Android OS, should also upgrade to v2023.3.1.20 (i.e., 2023.3.1 Patch 2), and go through the same token revocation process.

Help Net Security has reached out to JetBrains and GitHub to ask for more details about the source of the problem and whether they have any indication that the vulnerability might have been leveraged by attackers prior to being reported and fixed. We will update this piece if (when) we get a response.