CVE-2024-37051

CRITICAL

Jetbrains Aqua < 2024.1.2 - Insufficiently Protected Credentials

Title source: rule

Description

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Exploits (2)

nomisec SUSPICIOUS 29 stars

by LeadroyaL · poc

https://github.com/LeadroyaL/CVE-2024-37051-EXP

View Code ZIP pw:eip

nomisec WRITEUP

by mrblackstar26 · poc

https://github.com/mrblackstar26/CVE-2024-37051

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://www.jetbrains.com/privacy-security/issues-fixed/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240705-0004/

Scores

CVSS v3 9.3

EPSS 0.0632

EPSS Percentile 91.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-522

Status published

Products (14)

jetbrains/aqua < 2024.1.2

jetbrains/clion < 2023.1.7

jetbrains/datagrip 2023.1.0 - 2023.1.3

jetbrains/dataspell < 2023.1.6

jetbrains/goland < 2023.1.6

jetbrains/intellij_idea < 2023.1.7

jetbrains/mps 2023.3.0

jetbrains/mps < 2023.2.1

jetbrains/phpstorm < 2023.1.6

jetbrains/pycharm < 2023.1.6

... and 4 more

Published Jun 10, 2024

Tracked Since Feb 18, 2026