JetBrains warned customers to patch a critical vulnerability that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens.
Tracked as CVE-2024-37051, this security flaw affects all IntelliJ-based IDEs from 2023.1 onwards, where the JetBrains GitHub plugin is enabled and configured/used.
“On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE,” said Ilya Pleskunin, a security support team lead at JetBrains.
“In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host.”
JetBrains has released security updates that address this critical vulnerability on affected IDEs version 2023.1 or later.
The company has also patched the vulnerable JetBrains GitHub plugin and has since removed all previously impacted versions from its official plugin marketplace.
The complete list of fixed versions for IntelliJ IDEs includes:
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
Admins urged to patch and revoke GitHub tokens
“If you have not updated to the latest version, we strongly urge you to do so,” Pleskunin warned.
In addition to working on a security fix, JetBrains contacted GitHub to help minimize the impact. Due to measures implemented during the mitigation process, the JetBrains GitHub plugin may not function as expected in older versions of JetBrains IDEs.
JetBrains also “strongly” advised customers who have actively used GitHub pull request functionality in IntelliJ IDEs to revoke any GitHub tokens used by the vulnerable plugin as they could provide potential attackers with access to the linked GitHub accounts even with the added protection of two-factor authentication.
Additionally, if the plugin was used with OAuth integration or Personal Access Token (PAT), they should also revoke access for the JetBrains IDE Integration app and delete the IntelliJ IDEA GitHub integration plugin token.
“Please note that after the token has been revoked, you will need to set up the plugin again as all plugin features (including Git operations) will stop working,” Pleskunin said.
In February, JetBrains also warned of a critical authentication bypass vulnerability—with public exploit code available since March—that could allow attackers to gain admin privileges and take over vulnerable TeamCity On-Premises servers.