CVE-2024-37051

Summary

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Affected Software

VendorProductVersion RangeStatus
JetBrainsIntelliJ IDEA2023.1 < 2023.1.7affected
JetBrainsIntelliJ IDEA2023.1 < 2023.2.7affected
JetBrainsIntelliJ IDEA2023.1 < 2023.3.7affected
JetBrainsIntelliJ IDEA2023.1 < 2024.1.3affected
JetBrainsIntelliJ IDEA2023.1 < 2024.2 EAP3affected
JetBrainsAqua0 < 2024.1.2affected
JetBrainsCLion2023.1 < 2023.1.7affected
JetBrainsCLion2023.1 < 2023.2.4affected
JetBrainsCLion2023.1 < 2023.3.5affected
JetBrainsCLion2023.1 < 2024.1.3affected
JetBrainsCLion2023.1 < 2024.2 EAP2affected
JetBrainsDataGrip2023.1 < 2023.1.3affected
JetBrainsDataGrip2023.1 < 2023.2.4affected
JetBrainsDataGrip2023.1 < 2023.3.5affected
JetBrainsDataGrip2023.1 < 2024.1.4affected
JetBrainsDataSpell2023.1 < 2023.1.6affected
JetBrainsDataSpell2023.1 < 2023.2.7affected
JetBrainsDataSpell2023.1 < 2023.3.6affected
JetBrainsDataSpell2023.1 < 2024.1.2affected
JetBrainsDataSpell2023.1 < 2024.2 EAP1affected
JetBrainsGoLand2023.1 < 2023.1.6affected
JetBrainsGoLand2023.1 < 2023.2.7affected
JetBrainsGoLand2023.1 < 2023.3.7affected
JetBrainsGoLand2023.1 < 2024.1.3affected
JetBrainsGoLand2023.1 < 2024.2 EAP3affected
JetBrainsMPS2023.1 < 2023.2.1affected
JetBrainsMPS2023.1 < 2023.3.1affected
JetBrainsMPS2023.1 < 2024.1 EAP2affected
JetBrainsPhpStorm2023.1 < 2023.1.6affected
JetBrainsPhpStorm2023.1 < 2023.2.6affected
JetBrainsPhpStorm2023.1 < 2023.3.7affected
JetBrainsPhpStorm2023.1 < 2024.1.3affected
JetBrainsPhpStorm2023.1 < 2024.2 EAP3affected
JetBrainsPyCharm2023.1 < 2023.1.6affected
JetBrainsPyCharm2023.1 < 2023.2.7affected
JetBrainsPyCharm2023.1 < 2023.3.6affected
JetBrainsPyCharm2023.1 < 2024.1.3affected
JetBrainsPyCharm2023.1 < 2024.2 EAP2affected
JetBrainsRider2023.1 < 2023.1.7affected
JetBrainsRider2023.1 < 2023.2.5affected
JetBrainsRider2023.1 < 2023.3.6affected
JetBrainsRider2023.1 < 2024.1.3affected
JetBrainsRubyMine2023.1 < 2023.1.7affected
JetBrainsRubyMine2023.1 < 2023.2.7affected
JetBrainsRubyMine2023.1 < 2023.3.7affected
JetBrainsRubyMine2023.1 < 2024.1.3affected
JetBrainsRubyMine2023.1 < 2024.2 EAP4affected
JetBrainsRustRover0 < 2024.1.1affected
JetBrainsWebStorm2023.1 < 2023.1.6affected
JetBrainsWebStorm2023.1 < 2023.2.7affected
JetBrainsWebStorm2023.1 < 2023.3.7affected
JetBrainsWebStorm2023.1 < 2024.1.4affected

Weaknesses

  • CWE-522: CWE-522: Insufficiently Protected Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References