JetBrains Issues Warning About IntelliJ IDE Bug That Exposes GitHub Access Tokens

June 11, 2024

JetBrains has alerted its customers to a critical security flaw that affects users of its IntelliJ integrated development environment (IDE) apps. This vulnerability, known as CVE-2024-37051, exposes GitHub access tokens and is present in all IntelliJ-based IDEs from 2023.1 onwards where the JetBrains GitHub plugin is enabled and in use.

Ilya Pleskunin, a security support team lead at JetBrains, explained that the company became aware of the issue on May 29, 2024, when they received an external security report. The report detailed a potential vulnerability that could impact pull requests within the IDE. Specifically, if a pull request to a GitHub project contained malicious content and was handled by IntelliJ-based IDEs, it could expose access tokens to a third-party host.

In response to this security flaw, JetBrains has released updates to address the vulnerability on affected IDEs version 2023.1 or later. The JetBrains GitHub plugin, which was identified as the source of the vulnerability, has also been patched. All previously impacted versions of this plugin have been removed from the official JetBrains plugin marketplace.

Pleskunin has strongly urged customers to update to the latest version of the IDEs. In addition to releasing a security fix, JetBrains has been in contact with GitHub to help minimize the impact of the vulnerability. Measures taken during the mitigation process may cause the JetBrains GitHub plugin to function differently in older versions of JetBrains IDEs.

JetBrains has also advised customers who have actively used GitHub pull request functionality in IntelliJ IDEs to revoke any GitHub tokens used by the vulnerable plugin. This is because these tokens could potentially provide attackers with access to linked GitHub accounts, even if two-factor authentication is in place. If the plugin was used with OAuth integration or Personal Access Token (PAT), customers should also revoke access for the JetBrains IDE Integration app and delete the IntelliJ IDEA GitHub integration plugin token.

After revoking the token, users will need to set up the plugin again, as all plugin features, including Git operations, will stop working. This was highlighted by Pleskunin in his statement.

Earlier in the year, JetBrains had also warned of a critical authentication bypass vulnerability that could allow attackers to gain admin privileges and take control of vulnerable TeamCity On-Premises servers. This exploit code has been publicly available since March.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.