The vulnerability in JetBrain’s GitHub plugins affects IntelliJ IDEs

3 Min Read

JetBrains has alerted users to a critical vulnerability in its GitHub plugin for IntelliJ platforms, which exposes GitHub tokens. Although JetBrains has released a patch for this issue in the latest IDE versions, they strongly advise users to exercise caution and ensure that their software is updated immediately.

JetBrains fixed a serious vulnerability in the GitHub plugin that affected IntelliJ IDEs

According to a recent afterJetBrains fixed a serious security flaw in the GitHub plugin that made the IntelliJ IDEs vulnerable to GitHub access token exposure.

JetBrains GitHub plugin for IntelliJ IDEs provides quick access to the GitHub repositories from the IDE. While providing convenience to users with GitHub account integration, the vulnerability posed a serious threat to IntelliJ IDE versions 2023.1 and above with the GitHub plugin enabled.

As explained the vulnerability is, CVE-2024-37051would affect pull requests within the IDE, exposing the GitHub access tokens to third-party sites.

JetBrains has patched the vulnerability following an external security report and has implemented fixes for subsequent IntelliJ IDE versions.

  • Aqua: 2024.1.2
  • CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
  • DataGrip: 2024.1.4
  • Data game: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
  • GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
  • PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
  • Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
  • RubyMy: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
  • RustRover: 2024.1.1
  • WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Moreover, the developers have also patched the vulnerability with the latest release of the GitHub plugin, removing the older versions from the JetBrains Marketplace for the safety of users.

See also  Vulnerability in a WordPress calendar plugin is being actively exploited

JetBrains also worked with GitHub for solutions. However, the fixes impact the performance of the JetBrains GitHub plugin in older IDEs. Therefore, the users must ensure that they are running the latest IDE versions to receive the patch.

JetBrains also recommends revoking tokens

While JetBrains pushed for the patches to be deployed, they also advised users to actively use the GitHub pull request functionality in the IDE to revoke all GitHub tokens used by the plugin. Although token revocation requires the users to reset the plugin, it is a precautionary recommendation to prevent potential misuse of the GitHub tokens to access the GitHub accounts, which become vulnerable even with the two-factor authentication enabled .

Let us know your thoughts in the comments.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *