{"id":164466,"date":"2024-06-12T10:24:21","date_gmt":"2024-06-12T10:24:21","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=164466"},"modified":"2024-06-12T10:24:22","modified_gmt":"2024-06-12T10:24:22","slug":"jetbrains-fixed-intellij-ide-flaw","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/164466\/security\/jetbrains-fixed-intellij-ide-flaw.html","title":{"rendered":"JetBrains fixed IntelliJ IDE flaw exposing GitHub access tokens"},"content":{"rendered":"
<\/div>\n

JetBrains warned to fix a critical vulnerability in IntelliJ integrated development environment (IDE) apps that exposes GitHub access tokens.<\/h2>\n\n\n\n

JetBrains warned customers to address a critical vulnerability, tracked as CVE-2024-37051, that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens.<\/p>\n\n\n\n

The flaw impacts IntelliJ-based IDEs version 2023.1 and later, where the JetBrains GitHub plugin is enabled and configured\/used.<\/gwmw><\/p>\n\n\n\n

“A new\u00a0security issue<\/a>\u00a0was discovered that affects the JetBrains\u00a0GitHub plugin<\/a>\u00a0on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured\/in-use.” reads the advisory<\/a> published by the company.\u00a0<\/em><\/gwmw><\/gwmw><\/p>\n\n\n\n

On the 29th of May 2024, the company received an external security report for the vulnerability potentially affecting its IDE product.<\/p>\n\n\n\n

The report demonstrates that specially crafted content in a pull request to a GitHub project, when handled by IntelliJ-based IDEs, would expose access tokens to a third-party host.<\/gwmw><\/gwmw><\/p>\n\n\n\n

JetBrains addressed the flaw with the release of IDEs version 2023.1 or later. Users are strongly recommended updating to the latest version.\u00a0<\/p>\n\n\n\n

Those customers that have used GitHub pull request functionality in the IDE are strongly advised to revoke any GitHub tokens used by the plugin. For OAuth integration, revoke access for the JetBrains IDE Integration application via Applications \u2192 Authorized OAuth Apps. For Personal Access Tokens (PAT), delete the token issued for the plugin on the Tokens page, typically named “IntelliJ IDEA GitHub integration plugin,” though custom names may also be used.<\/p>\n\n\n\n

Below is the <\/gwmw>list of fixed versions for IntelliJ IDEs:<\/p>\n\n\n\n