www.belgium.be Logo of the federal government

CRITICAL VULNERABILITY IN JETBRAINS INTELLIJ-BASED IDE & JETBRAINS GITHUB PLUGIN

Reference: 
Advisory #2024-85
Version: 
2.0
Affected software: 
JetBrains IntelliJ-based IDEs 2023.1+ (full list in description)
JetBrains GitHub Plugin
Type: 
Insufficiently Protected Credentials
CVE/CVSS: 

CVE-2024-37051
CVSS 9.3 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Sources

Risks

GitHub access tokens could be exposed to third party sites in JetBrains IDEs, which could lead to unauthorised access to code repositories and therefore poses a supply chain risk.

Update 13/06/2024: A proof of concept is available. The Centre for Cybersecurity Belgium assesses exploitation is likely to take place in the future.

The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible and to follow the additional measures as recommended by the vendor. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

GitHub access token could be exposed to third-party sites in JetBrains IDEs.

The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use. The issue is now resolved and a fix has been provided for all IDEs based on the IntelliJ Platform from version 2023.1 onwards:

  • Aqua: 2024.1.2
  • CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
  • DataGrip: 2024.1.4
  • DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
  • GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
  • PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
  • PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
  • Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
  • RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
  • RustRover: 2024.1.1
  • WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Recommended Actions

Patch

The CCB strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.

The CCB also strongly recommends to follow the additional mitigation as recommend by the vendor and thus to revoke access tokens used by the vulnerable GitHub plugin.

The latest version of the involved product can be found on their website:
 

Monitor/Detect

The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.