CVE-2024-37051
Published: 10 June 2024
Summary
CVE-2024-37051 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Jetbrains Clion. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-37051 is a credential-exposure vulnerability affecting multiple JetBrains IDEs released after version 2023.1 and prior to the listed patched releases, including IntelliJ IDEA, PyCharm, WebStorm, CLion, PhpStorm, GoLand, Rider, RubyMine, DataGrip, DataSpell, MPS, Aqua, and RustRover. The flaw permits a GitHub access token to be sent to third-party sites, corresponding to CWE-522 (Insufficiently Protected Credentials) and carrying a CVSS 3.1 score of 9.3.
An unauthenticated remote attacker can trigger the issue with low attack complexity and only user interaction required; successful exploitation changes scope and yields high impact on both confidentiality and integrity, allowing the attacker to obtain and misuse the exposed token.
JetBrains has addressed the issue in the specific versions enumerated in the advisory (for example, IntelliJ IDEA 2023.1.7/2023.2.7/2023.3.7/2024.1.3 and equivalent builds for other products); NetApp and JetBrains advisories direct users to apply these updates. The associated EPSS score has remained flat at 0.0632 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36408
Vulnerability details
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4;…
more
DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.