JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens

JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens

June 11, 2024 at 03:02PM

JetBrains has issued a security warning concerning a critical vulnerability in its IntelliJ integrated development environment (IDE) apps, CVE-2024-37051. The flaw, affecting versions 2023.1 onwards with the GitHub plugin, exposes access tokens. Security updates have been released for affected IDEs, and customers are advised to update and revoke GitHub tokens.

Based on the meeting notes, here are the key takeaways:

1. JetBrains has identified a critical vulnerability impacting users of IntelliJ-based IDEs with the JetBrains GitHub plugin enabled.
2. The security flaw, tracked as CVE-2024-37051, exposes GitHub access tokens to third-party hosts when handling pull requests within the IDE.
3. JetBrains has released security updates for affected IDE versions (2023.1 onwards) and has patched the vulnerable JetBrains GitHub plugin.
4. Users are strongly urged to update to the latest fixed versions of IntelliJ IDEs and to revoke any GitHub tokens used by the vulnerable plugin.
5. Additionally, customers who have actively used GitHub pull request functionality in IntelliJ IDEs are advised to revoke access for the JetBrains IDE Integration app and delete the IntelliJ IDEA GitHub integration plugin token.
6. It is noted that after the token has been revoked, the plugin features, including Git operations, will stop working, and users will need to set up the plugin again.
7. JetBrains has also contacted GitHub to help minimize the impact of the vulnerability, and due to mitigation measures, the JetBrains GitHub plugin may not function as expected in older versions of JetBrains IDEs.

Please let me know if you need any further assistance or clarification.

Full Article