JetBrains rectified flaw in IntelliJ IDE that exposed GitHub authorization tokens
June 12, 2024
JetBrains advised fixing a crucial vulnerability in IntelliJ built-in development environment (IDE) software, which revealed GitHub authorization tokens.
JetBrains cautioned users to take action against a critical weakness, identified as CVE-2024-37051, affecting individuals using its IntelliJ built-in development environment (IDE) software and disclosing GitHub authorization tokens.
This vulnerability affects IntelliJ-based IDEs versions 2023.1 and later, specifically when the JetBrains GitHub plugin is activated and set up for use.
“A recent security concern has been found that impacts the JetBrains GitHub plugin on the IntelliJ Platform, potentially revealing access tokens to external websites. The problem affects all IntelliJ-based IDEs starting from version 2023.1 that have the JetBrains GitHub plugin enabled and functioning.” as stated in the advisory released by the organization.
On May 29, 2024, the organization received an external notification about the vulnerability that could potentially impact its IDE software.
The findings illustrated that specifically created contents in a pull request to a GitHub project, once managed by IntelliJ-based IDEs, could expose authorization tokens to an external server.
JetBrains tackled the weakness by introducing fixes in IDEs version 2023.1 and above. It’s highly recommended for users to upgrade to the most recent version.
Users who utilized GitHub pull request feature in the IDE are highly encouraged to invalidate any GitHub tokens used by the plugin. For OAuth integration, revoke permissions for the JetBrains IDE Integration app through Applications → Authorized OAuth Apps. For Personal Access Tokens (PAT), remove the token generated for the plugin on the Tokens page, typically named as “IntelliJ IDEA GitHub integration plugin,” although custom names might also be utilized.
Below are the updated versions for IntelliJ IDEs:
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
“It’s highly recommended to update to the latest version if you haven’t done so already,” concluded the advisory.
The company has not disclosed whether the vulnerability has been exploited in real-world scenarios.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitHub)
About Author
