logo

Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)

JetBrains has fixed a critical vulnerability (CVE-2024-37051) that could expose users of its integrated development environments (IDEs) to GitHub access token compromise.

CVE-2024-37051

About CVE-2024-37051

JetBrains offers IDEs for various programming languages.

CVE-2024-37051 is a vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform, and affects all IntelliJ-based IDEs as of 2023.1 onwards that have it enabled and configured/in-use.

“On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host,” JetBrains security support team lead Ilya Pleskunin explains.

Attackers could use those tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.

Fixes are available

The issue has been fixed in the following IDEs: Aqua, CLion, DataGrip, DataSpell, GoLand, IntelliJ IDEA, MPS, PhpStorm, PyCharm, Rider, RubyMine, RustRover, and WebStorm.

“The JetBrains GitHub plugin has also been updated with the fix, and previously affected versions have been removed from JetBrains Marketplace,” Pleskunin added.

He advised users to update to the latest available version of the IDE they use. Those that have used the GitHub pull request functionality should also:

  • Revoke GitHub access tokens being used by the plugin
  • Revoke access for the JetBrains IDE Integration application
  • Delete the token issued for the plugin

Users of Google’s IntelliJ-based Android Studio, the official IDE for the Android OS, should also upgrade to v2023.3.1.20 (i.e., 2023.3.1 Patch 2), and go through the same token revocation process.

Help Net Security has reached out to JetBrains and GitHub to ask for more details about the source of the problem and whether they have any indication that the vulnerability might have been leveraged by attackers prior to being reported and fixed. We will update this piece if (when) we get a response.

Diligent AI enables leaders to better manage and respond to risk

Protecto improves data security and privacy for GenAI apps in Databricks environments

Free security scan for your website

Top News:

Truist Bank confirms breach after stolen data shows up on hacking forum

Truist Bank confirms breach after stolen data shows up on hacking forum

 June 14, 2024
Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

 October 30, 2024
Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443)

Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443)

 November 4, 2024
Microsoft SharePoint RCE bug exploited to breach corporate network

Microsoft SharePoint RCE bug exploited to breach corporate network

 November 2, 2024
Google patches actively exploited Android vulnerability (CVE-2024-43093)

Google patches actively exploited Android vulnerability (CVE-2024-43093)

 November 5, 2024
VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

 November 7, 2024