JetBrains IntelliJ integrated development environment (IDE) apps are vulnerable to a critical security flaw tracked as CVE-2024-37051. The vulnerability may allow attackers to disclose GitHub access tokens to third-party sites. The vulnerability exists in the JetBrains IntelliJ-based IDEs that have the JetBrains GitHub plugin enabled and configured/in-use.
JetBrains IntelliJ IDEA is an integrated development environment (IDE) for software developers that helps them create, edit, debug, and manage code. The IDE aims to maximize developer productivity by automating routine tasks like code completion, static code analysis, and refactoring.
Vulnerability Details
The vulnerability may affect pull requests within the IDE. An attacker may pass malicious content as part of a pull request to a GitHub project, which IntelliJ-based IDEs would handle would expose access tokens to a third-party host.
Affected Versions
The vulnerability impacts JetBrains IntelliJ IDEA before 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2.
Mitigation
Customers must upgrade to JetBrains IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3, or later to upgrade to vulnerability.
For more information, please refer to the JetBrains Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 379933 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.jetbrains.com/privacy-security/issues-fixed/
