Cyber Resilience

CVE-2024-37051

Critical

Published: 10 June 2024

Published
10 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0632 91.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37051 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Jetbrains Clion. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-37051 is a credential-exposure vulnerability affecting multiple JetBrains IDEs released after version 2023.1 and prior to the listed patched releases, including IntelliJ IDEA, PyCharm, WebStorm, CLion, PhpStorm, GoLand, Rider, RubyMine, DataGrip, DataSpell, MPS, Aqua, and RustRover. The flaw permits a GitHub access token to be sent to third-party sites, corresponding to CWE-522 (Insufficiently Protected Credentials) and carrying a CVSS 3.1 score of 9.3.

An unauthenticated remote attacker can trigger the issue with low attack complexity and only user interaction required; successful exploitation changes scope and yields high impact on both confidentiality and integrity, allowing the attacker to obtain and misuse the exposed token.

JetBrains has addressed the issue in the specific versions enumerated in the advisory (for example, IntelliJ IDEA 2023.1.7/2023.2.7/2023.3.7/2024.1.3 and equivalent builds for other products); NetApp and JetBrains advisories direct users to apply these updates. The associated EPSS score has remained flat at 0.0632 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4;…

more

DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jetbrains
aqua
≤ 2024.1.2
jetbrains
clion
≤ 2023.1.7 · 2023.2.0 — 2023.2.4 · 2023.3.0 — 2023.3.5
jetbrains
datagrip
2023.1.0 — 2023.1.3 · 2023.2.0 — 2023.2.4 · 2023.3.0 — 2023.3.5
jetbrains
dataspell
≤ 2023.1.6 · 2023.2.0 — 2023.2.7 · 2023.3.0 — 2023.3.6
jetbrains
goland
≤ 2023.1.6 · 2023.2.0 — 2023.2.7 · 2023.3.0 — 2023.3.7
jetbrains
intellij idea
≤ 2023.1.7 · 2023.2.0 — 2023.2.7 · 2023.3.0 — 2023.3.7
jetbrains
mps
2023.3.0 · ≤ 2023.2.1
jetbrains
phpstorm
≤ 2023.1.6 · 2023.2.0 — 2023.2.6 · 2023.3.0 — 2023.3.7
jetbrains
pycharm
≤ 2023.1.6 · 2023.2.0 — 2023.2.7 · 2023.3.0 — 2023.3.6
jetbrains
rider
≤ 2023.1.7 · 2023.2.0 — 2023.2.5 · 2023.3.0 — 2023.3.6
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-522

Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.

addresses: CWE-522

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

addresses: CWE-522

Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.

addresses: CWE-522

Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.

addresses: CWE-522

Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.

addresses: CWE-522

Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.

References