IntelliJ IDE Bug Exposes GitHub Access Tokens, JetBrains Issues Warning. Here is what to know, A Quick look

Avast

IntelliJ IDE Bug Exposes GitHub Access Tokens, JetBrains Issues Warning. Here is what to know, A Quick look

In a recent security advisory, JetBrains, the company behind popular development tools, issued a warning about a critical vulnerability affecting users of its IntelliJ integrated development environment (IDE) apps. The flaw specifically impacts the JetBrains GitHub plugin on the IntelliJ Platform, potentially exposing GitHub access tokens to third-party sites.

JetBrains

The Vulnerability

The vulnerability assigned the CVE ID CVE-2024-37051, affects all IntelliJ-based IDEs from version 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured. When handling pull requests within the IDE, malicious content could inadvertently expose access tokens to external hosts. This security issue poses a significant risk, as compromised access tokens could lead to unauthorized access and potential account compromise.

Resolution and Fixed Versions

JetBrains promptly addressed the issue by providing fixes for all affected IDEs based on the IntelliJ Platform. Users are strongly encouraged to update their IDEs to the latest versions. Here are the fixed versions for various JetBrains IDEs:

  • Aqua: 2024.1.2
  • CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
  • DataGrip: 2024.1.4
  • DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
  • GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
  • PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
  • Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
  • RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
  • RustRover: 2024.1.1
  • WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Mitigation Measures

To safeguard against potential token exposure, JetBrains recommends the following actions:

  1. Update Your IDE: Ensure you’re using the latest version of your IDE.
  2. Revoke GitHub Tokens: If you actively use GitHub pull request functionality in the IDE, revoke any GitHub tokens issued for the plugin. Check both OAuth integration settings and Personal Access Token (PAT) settings.
    • For OAuth Integration: Go to “Applications” → “Authorized OAuth Apps” and revoke access for the JetBrains IDE Integration application.
    • For Personal Access Tokens: Visit the “Tokens” page and delete the token issued for the plugin (default name: “IntelliJ IDEA GitHub integration plugin”).

Conclusion

By promptly addressing this security issue, JetBrains demonstrates its commitment to user safety. Developers should take immediate action to protect their access tokens and keep their IDEs up to date. Remember that security is a shared responsibility, and vigilance is essential in maintaining a secure development environment.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment