JetBrains, renowned for its IntelliJ integrated development environment (IDE) apps, recently issued a critical warning to its user base. A vulnerability, designated CVE-2024-37051, has been identified, affecting all IntelliJ-based IDEs from version 2023.1 onwards. This flaw specifically impacts users who have enabled and configured the JetBrains GitHub plugin, potentially exposing their GitHub access tokens to unauthorized access.
Prompt action is imperative to mitigate the risk posed by this vulnerability. In response to the security alert, JetBrains promptly released security updates targeting affected IDE versions, commencing from 2023.1. Moreover, the company swiftly patched the vulnerable JetBrains GitHub plugin, removing previously impacted versions from its official plugin marketplace. Users are strongly urged to update their IDEs without delay and to revoke any GitHub tokens associated with the vulnerable plugin.
The gravity of the situation is underscored by the urgency conveyed by JetBrains’ security support team lead, Ilya Pleskunin. Pleskunin emphasized the potential ramifications of the vulnerability, particularly highlighting its susceptibility to expose access tokens to third-party entities. This warning underscores the necessity for users to promptly address the security loophole to safeguard their GitHub accounts and sensitive data from potential exploitation.
Beyond merely addressing the vulnerability, JetBrains actively collaborated with GitHub to mitigate its impact further. Despite these efforts, users are cautioned that the mitigation process may affect the functionality of the JetBrains GitHub plugin in older IDE versions. As a precautionary measure, users who have utilized GitHub pull request functionality within IntelliJ IDEs are advised to revoke any associated GitHub tokens. Additionally, users are urged to delete integration tokens if OAuth integration or Personal Access Tokens (PAT) were employed, necessitating a reconfiguration of the plugin for continued functionality.
Reference: