Jetbrains is calling users to update their integrated Intellij IDEA development media in order to address a critical vulnerability linked to access to GITHUB tokens.
The vulnerability cve-2024-37051 impacts all IDEs based on Intellij, starting from version 2023.1, if the Jetbrains Github plugin is included and used. On May 29, 2024, external information revealed a potential threat affecting Pull Request in the IDE.
Ilya Pleskunin, the head of the Jetbrains security group, stated, “The malicious content of the GitHub project, processed by IDE based on Intellij, can lead to a leakage of access to a third-party host.”
Jetbrains has released security updates for all IDE versions (from 2023.1 onwards). The vulnerable plugin Jetbrains Github has also been updated and removed from the official store.
The list of fixed versions of IDEs based on Intellij includes:
- aqua: 2024.1.2;
- clion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2;
- Datagrip: 2024.1.4;
- Dataspell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2;
- goland: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3;
- intellij idea: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3;
- mps: 2023.2.1, 2023.3.1, 2024.1 EAP2;
- phpstorm: