Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)
JetBrains has fixed a critical vulnerability (CVE-2024-37051) that could expose users of its integrated development environments (IDEs) to GitHub access token compromise.
About CVE-2024-37051
JetBrains offers IDEs for various programming languages.
CVE-2024-37051 is a vulnerability in the JetBrains GitHub plugin on the IntelliJ open-source platform, and affects all IntelliJ-based IDEs as of 2023.1 onwards that have it enabled and configured/in-use.
“On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host,” JetBrains security support team lead Ilya Pleskunin explains.
Attackers could use those tokens to gain unauthorized access to user GitHub accounts and repositories and possibly deploy malicious code or delete the repositories.
Fixes are available
The issue has been fixed in the following IDEs: Aqua, CLion, DataGrip, DataSpell, GoLand, IntelliJ IDEA, MPS, PhpStorm, PyCharm, Rider, RubyMine, RustRover, and WebStorm.
“The JetBrains GitHub plugin has also been updated with the fix, and previously affected versions have been removed from JetBrains Marketplace,” Pleskunin added.
He advised users to update to the latest available version of the IDE they use. Those that have used the GitHub pull request functionality should also:
- Revoke GitHub access tokens being used by the plugin
- Revoke access for the JetBrains IDE Integration application
- Delete the token issued for the plugin
Users of Google’s IntelliJ-based Android Studio, the official IDE for the Android OS, should also upgrade to v2023.3.1.20 (i.e., 2023.3.1 Patch 2), and go through the same token revocation process.
Help Net Security has reached out to JetBrains and GitHub to ask for more details about the source of the problem and whether they have any indication that the vulnerability might have been leveraged by attackers prior to being reported and fixed. We will update this piece if (when) we get a response.
UPDATE (June 11, 2024, 10:20 a.m. ET):
“There is no confirmed evidence that attackers actively exploited [the vulnerability] before its discovery and disclosure. We recommend that users apply security updates promptly to minimize the risk of exploitation,” a JetBrains representative told Help Net Security.
They’ve also pointed out that GitHub tokens typically act as authentication credentials, allowing access to GitHub resources without requiring further authentication steps.
“This means that if an attacker obtains a valid token, they can use it to access the associated GitHub account’s resources, regardless of whether MFA is enabled on the account,” they noted.
“If you have actively used the GitHub pull request functionality in the IDE, we strongly advise that you revoke any GitHub tokens the plugin is using. Please note that after the token has been revoked, you will need to set up the plugin again, as all plugin features (including Git operations) will stop working.”