A significant security flaw in the JetBrains GitHub plugin for IntelliJ-based IDEs has been identified, posing a risk to users’ access tokens and potentially compromising linked accounts. The vulnerability, known as CVE-2024-37051, affects versions 2023.1 and later of the plugin, exposing access tokens to malicious content within GitHub pull requests. This could allow attackers to steal tokens and breach accounts, even if two-factor authentication is enabled.
JetBrains has taken swift action to address the issue by releasing a patch and working closely with GitHub on mitigation efforts. Users are strongly advised to update their IDEs to the latest versions and consider revoking any GitHub tokens associated with the plugin. Available fixed versions for JetBrains IDEs and Aqua have been made available, with specific versions for different IDEs.
CLion, DataGrip, DataSpell, GoLand, IntelliJ IDEA, and MPS have each received fixed versions to address the security vulnerability. These fixed versions range from previous releases to the latest Early Access Program (EAP) builds. It is crucial for users of these IDEs to update to the fixed versions to ensure their security.
The vulnerability affects all IntelliJ-based IDEs, including PhpStorm, PyCharm, Rider, RubyMine, WebStorm, and RustRover from version 2023.1 onwards. JetBrains has released an updated version of the GitHub plugin with the fix and removed insecure versions from the JetBrains Marketplace. Users are urged to update the plugin immediately to protect themselves from potential security risks.
The security flaw was initially reported in a security report submitted on May 29, 2024. By identifying and promptly addressing the vulnerability, JetBrains has taken necessary steps to enhance the security of their GitHub plugin. The company has reached out to GitHub and implemented measures to prevent the plugin from malfunctioning in older IDE versions.
As a precautionary measure, users are advised to update both the plugin and IDE to the latest versions. This will not only ensure security but also maintain full functionality of the plugin. To mitigate any risks associated with the vulnerability, users should update to the latest IDE version and revoke any GitHub tokens used with the plugin, especially if pull request features were utilized.
In the case of OAuth or Personal Access Tokens (PATs) being used by the plugin, users should revoke them through GitHub’s application settings or token management page. It is important to note that revoking tokens will disable all plugin features, including Git operations, necessitating reconfiguration.
To ensure complete data breach protection, users can explore Cynet’s All-in-One Cybersecurity Platform, recommended for Managed Service Providers (MSPs). By utilizing comprehensive cybersecurity solutions, organizations can bolster their defenses against potential threats and safeguard their sensitive data.
In conclusion, addressing security vulnerabilities promptly and proactively is essential in today’s digital landscape. By staying vigilant and updating software regularly, users can protect themselves from potential security risks and ensure a safe computing environment.