JetBrains recently announced a critical vulnerability in its GitHub plugin for IntelliJ platforms, which could potentially expose GitHub tokens. While a patch has been released for the latest IDE versions, JetBrains advises users to update their software promptly and exercise caution.
JetBrains Addresses Critical Vulnerability in GitHub Plugin for IntelliJ IDEs
In a recent announcement, JetBrains disclosed the patch for a significant security flaw in the GitHub plugin affecting IntelliJ IDEs, potentially exposing GitHub access tokens.
The GitHub plugin for IntelliJ IDEs allows users to easily access GitHub repositories within the IDE. Despite its convenience, the vulnerability posed a serious risk to users of IntelliJ IDE versions 2023.1 and above with the GitHub plugin enabled.
Identified as CVE-2024-37051, the vulnerability could compromise GitHub access tokens when working on pull requests in the IDE.
JetBrains promptly addressed the issue following an external security report and rolled out fixes across various IntelliJ IDE versions, including:
- Aqua: 2024.1.2
- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
- DataGrip: 2024.1.4
- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
- RustRover: 2024.1.1
- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
Additionally, JetBrains released an updated GitHub plugin version and removed older versions from the JetBrains Marketplace to ensure user safety.
JetBrains collaborated with GitHub on mitigations, which may impact the performance of the GitHub plugin in older IDEs. Users are advised to update to the latest IDE versions to receive the necessary patches.
JetBrains Urges Users to Revoke GitHub Tokens
Alongside patch deployment, JetBrains recommends that users actively utilizing GitHub pull requests in the IDE revoke any GitHub tokens used by the plugin. While this may require users to reconfigure the plugin, it serves as a precautionary measure to prevent potential misuse of GitHub tokens, even with two-factor authentication enabled.
Share your thoughts in the comments below.
