CVE-2024-37051

CRITICAL

JetBrains IDEs - GitHub Access Token Exposure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-37051. PoCs published by LeadroyaL, mrblackstar26.

AI-analyzed exploit summary The repository lacks actual exploit code and instead points to external resources (PR #1 and a Chinese vulnerability analysis link). No technical details or PoC code are provided in the README.

Description

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Exploits (2)

nomisec SUSPICIOUS 29 stars

by LeadroyaL · poc

https://github.com/LeadroyaL/CVE-2024-37051-EXP

View Code ZIP pw:eip

The repository lacks actual exploit code and instead points to external resources (PR #1 and a Chinese vulnerability analysis link). No technical details or PoC code are provided in the README.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP

by mrblackstar26 · poc

https://github.com/mrblackstar26/CVE-2024-37051

View Code ZIP pw:eip

The repository provides a technical analysis of CVE-2024-37051, detailing how malicious pull requests in JetBrains' IntelliJ-based IDEs can expose GitHub access tokens. It includes mitigation steps and references an external analysis for further details.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Theoretical

Target: JetBrains IntelliJ-based IDEs (GitHub plugin)

No auth needed

Prerequisites: User interaction to load a malicious pull request

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://www.jetbrains.com/privacy-security/issues-fixed/

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240705-0004/

Scores

CVSS v3 9.3

EPSS 0.0384

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-522

Status published

Products (14)

jetbrains/aqua < 2024.1.2

jetbrains/clion < 2023.1.7

jetbrains/datagrip 2023.1.0 - 2023.1.3

jetbrains/dataspell < 2023.1.6

jetbrains/goland < 2023.1.6

jetbrains/intellij_idea < 2023.1.7

jetbrains/mps 2023.3.0

jetbrains/mps < 2023.2.1

jetbrains/phpstorm < 2023.1.6

jetbrains/pycharm < 2023.1.6

... and 4 more

Published Jun 10, 2024

Tracked Since Feb 18, 2026