JetBrains has fixed a critical vulnerability with CVE ID CVE-2024-37051 in its IntelliJ IDE. The bug affected IntelliJ IDEs version 2023.1 and later, where the GitHub plugin is installed and active. If exploited, it could expose GitHub access tokens used in the coding environment.
The vulnerability was first discovered on May 29, 2024, when the company received an external security report affecting the IDE. The report demonstrated how specially crafted content in a pull request to a GitHub project inside IntelliJ-based IDEs could expose access tokens to a third-party host. The IDE and JetBrains’ GitHub plugin have been updated to fix the issue.
Users are recommended to update their IDEs as soon as possible. Additionally, a company advisory suggests that if a user has actively used the GitHub pull request functionality in the IDE, they should revoke any GitHub tokens being used by the plugin as soon as possible.
A list of currently fixed versions is as follows:
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
GitHub access tokens are integral to the code-sharing platform’s user experience, especially when accessing it via the command line or GitHub API. They are an alternative to passwords, avoiding the hassle of the user having to authenticate themselves via login every time they want to request or take action in their online code repositories. If leaked, access tokens can allow unauthorised, third-party actors to change code repositories or otherwise interact with the API without the user’s knowledge.
In the News: YouTube is launching a thumbnail test and compare feature