JetBrains warns users of IntelliJ IDE flaw leaking GitHub tokens. Revoke tokens and patch!
Take action: If you are using IntelliJ IDE with GitHub, assume that the tokens were compromised. This is no time for optimism. Revoke access for GitHub to the IDE, delete all tokens and then patch and set up the plugin again.
Learn More
JetBrains has warned users about a critical vulnerability in its IntelliJ integrated development environments (IDEs), tracked as CVE-2024-37051 (CVSS score 9.3), which exposes GitHub access tokens.
The vulnerability affects all IntelliJ-based IDEs from version 2023.1 onwards when the JetBrains GitHub plugin is enabled and configured. The vulnerability was reported on May 29, 2024, and could be exploited by malicious content in a pull request to a GitHub project, potentially exposing access tokens to third-party hosts.
The exposed tokens could allow attackers to gain unauthorized access to GitHub accounts and repositories, enabling them to deploy malicious code or delete repositories. JetBrains has released security updates to address this critical vulnerability and removed all impacted plugin versions from its official marketplace.
JetBrains has fixed the vulnerability in the following IDE versions:
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
JetBrains strongly urges users to update to the latest versions of the affected IDEs. Additionally, they should revoke any GitHub tokens used by the vulnerable plugin, revoke access for the JetBrains IDE Integration application and delete the token issued for the plugin.
JetBrains has coordinated with GitHub to minimize the impact of this vulnerability. Users who need to revoke their tokens will have to set up the plugin again, as all plugin features, including Git operations, will cease to function until reconfigured.
