{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-057.pdf"
    },
    "title": "Vulnerabilities in JetBrains Products",
    "serial_number": "2024-057",
    "publish_date": "12-06-2024 14:09:19",
    "description": "On June 10, JetBrains released a fix for a vulnerability affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin. This vulnerability could lead to disclosure of access tokens to third-party sites.<br>\n",
    "url_title": "2024-057",
    "content_markdown": "---\ntitle: 'Vulnerabilities in JetBrains Products'\nnumber: '2024-057'\nversion: '1.0'\noriginal_date: 'June 10, 2024'\ndate: 'June 12, 2024'\n---\n\n_History:_\n\n* _12/06/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 10, JetBrains released a fix for a vulnerability affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin. This vulnerability could lead to disclosure of access tokens to third-party sites [1].\n\n# Technical Details\n\nThe vulnerability, identified as **CVE-2024-37051** with a  CVSS score of 9.3 [2], affects pull requests within the IntelliJ-based IDEs. Specifically, malicious content included in a pull request to a GitHub project, when handled by IntelliJ-based IDEs, could lead to exposure of access tokens to a third-party host.\n\n# Affected Products\n\nThe fixed versions are listed below. All previous versions are considered vulnerable [1]. \n\n- Aqua: 2024.1.2\n- CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2\n- DataGrip: 2024.1.4\n- DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2\n- GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3\n- IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3\n- MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2\n- PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3\n- PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2\n- Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3\n- RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4\n- RustRover: 2024.1.1\n- WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4\n\n\n# Recommendations and Mitigation\n\nIt is recommended to apply updates as soon as possible on affected products. Additionally, it is advised to revoke any GitHub tokens being used by JetBrains GitHub Plugin. The plugin can use OAuth integration or Personal Access Token (PAT). Follow the steps below to revoke access [1]:\n\n- **OAuth Integration Settings**: Go to Applications [3] \u2192 Authorized OAuth Apps and revoke access for the **JetBrains IDE Integration** application.\n\n- **Personal Access Token Settings**: Go to the Tokens [4] page and delete the token issued for the plugin. The default token name is **IntelliJ IDEA GitHub integration plugin**.\n\n# References\n\n[1] <https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/>\n\n[2] <https://nvd.nist.gov/vuln/detail/CVE-2024-37051>\n\n[3] <https://github.com/settings/applications>\n\n[4] <https://github.com/settings/tokens> \n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>12/06/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 10, JetBrains released a fix for a vulnerability affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin. This vulnerability could lead to disclosure of access tokens to third-party sites [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability, identified as <strong>CVE-2024-37051</strong> with a CVSS score of 9.3 [2], affects pull requests within the IntelliJ-based IDEs. Specifically, malicious content included in a pull request to a GitHub project, when handled by IntelliJ-based IDEs, could lead to exposure of access tokens to a third-party host.</p><h2 id=\"affected-products\">Affected Products</h2><p>The fixed versions are listed below. All previous versions are considered vulnerable [1]. </p><ul><li>Aqua: 2024.1.2</li><li>CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2</li><li>DataGrip: 2024.1.4</li><li>DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2</li><li>GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3</li><li>IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3</li><li>MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2</li><li>PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3</li><li>PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2</li><li>Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3</li><li>RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4</li><li>RustRover: 2024.1.1</li><li>WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4</li></ul><h2 id=\"recommendations-and-mitigation\">Recommendations and Mitigation</h2><p>It is recommended to apply updates as soon as possible on affected products. Additionally, it is advised to revoke any GitHub tokens being used by JetBrains GitHub Plugin. The plugin can use OAuth integration or Personal Access Token (PAT). Follow the steps below to revoke access [1]:</p><ul><li><p><strong>OAuth Integration Settings</strong>: Go to Applications [3] \u2192 Authorized OAuth Apps and revoke access for the <strong>JetBrains IDE Integration</strong> application.</p></li><li><p><strong>Personal Access Token Settings</strong>: Go to the Tokens [4] page and delete the token issued for the plugin. The default token name is <strong>IntelliJ IDEA GitHub integration plugin</strong>.</p></li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/\">https://blog.jetbrains.com/security/2024/06/updates-for-security-issue-affecting-intellij-based-ides-2023-1-and-github-plugin/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2024-37051\">https://nvd.nist.gov/vuln/detail/CVE-2024-37051</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/settings/applications\">https://github.com/settings/applications</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/settings/tokens\">https://github.com/settings/tokens</a> </p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}