Updates for security issue affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin

A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use. 

The issue is now resolved and a fix has been provided for all IDEs based on the IntelliJ Platform from version 2023.1 onwards.

Fixed Versions Available

• Aqua: 2024.1.2
• CLion: 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2
• DataGrip: 2024.1.4
• DataSpell: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2
• GoLand: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
• IntelliJ IDEA: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3
• MPS: 2023.2.1, 2023.3.1, 2024.1 EAP2
• PhpStorm: 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3
• PyCharm: 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2
• Rider: 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3
• RubyMine: 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4
• RustRover: 2024.1.1
• WebStorm: 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

The JetBrains GitHub plugin has also been updated with the fix, and previously affected versions have been removed from JetBrains Marketplace. 

If you have not updated to the latest version, we strongly urge you to do so.

The Details

On the 29th of May 2024 we received an external security report with details of a possible vulnerability that would affect pull requests within the IDE. In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host. The CVE ID assigned to this vulnerability is CVE-2024-37051.

In addition to assessing the issue and starting work on a resolution, we also immediately contacted GitHub to assist us with mitigation. Please note that due to these mitigation measures, the JetBrains GitHub plugin in older versions of JetBrains IDEs may no longer work as expected.

What is required of you

First and foremost, we strongly recommend updating to the latest version available for your IDE. 

Furthermore, if you have actively used GitHub pull request functionality in the IDE, we strongly advise that you revoke any GitHub tokens being used by the plugin. Given that the plugin can use OAuth integration or Personal Access Token (PAT), please check both and revoke as necessary:

1. OAuth Integration Settings: go to Applications → Authorized OAuth Apps and revoke access for the JetBrains IDE Integration application.
2. Personal Access Token Settings: go to the Tokens page and delete the token issued for the plugin. The default token name is IntelliJ IDEA GitHub integration plugin, but you may be using custom names as well.

Please note that after the token has been revoked, you will need to set up the plugin again as all plugin features (including Git operations) will stop working.  

We sincerely want to apologize for any inconvenience this may cause you.

Thank you!