JetBrains has alerted users to a critical vulnerability in its GitHub plugin for IntelliJ platforms, which exposes GitHub tokens. Although JetBrains has released a patch for this issue in the latest IDE versions, they strongly advise users to exercise caution and ensure their software is promptly updated.
JetBrains Patched Serious GitHub Plugin Vulnerability Impacting IntelliJ IDEs
According to a recent post, JetBrains patched a serious security flaw in the GitHub plugin that made the IntelliJ IDEs vulnerable to exposing GitHub access tokens.
JetBrains GitHub plugin for IntelliJ IDEs provides quick access to the GitHub repositories from the IDE. While it provides convenience to the users with GitHub account integration, the vulnerability posed a serious threat to IntelliJ IDE versions 2023.1 onwards having the GitHub plugin enabled.
As explained, the vulnerability, CVE-2024-37051, would affect pull requests within the IDE, exposing the GitHub access tokens to third-party sites.
JetBrains patched the vulnerability following an external security report, deploying fixes with the following IntelliJ IDE versions.
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
Moreover, the developers also patched the vulnerability with the latest GitHub plugin release, removing the older versions from the JetBrains Marketplace for users’ safety.
JetBrains also collaborated with GitHub for mitigations. However, the mitigations affect the performance of the JetBrains GitHub plugin in older IDEs. Hence, the users must ensure they are running the latest IDE versions to receive the patch.
JetBrains Also Recommends Revoking Tokens
While JetBrains urged deploying the patches, they also advised users actively using the GitHub pull request functionality in the IDE to revoke any GitHub tokens in use by the plugin. Although revoking tokens requires the users to set up the plugin again, it’s a precautionary recommendation to avoid potential abuse of the GitHub tokens to access the GitHub accounts, which become vulnerable even with the two-factor authentication enabled.
Let us know your thoughts in the comments.