9.3
CRITICAL
CVE-2024-37051
JetBrains IDEA Series Exposed GitHub Access Token Vulnerability
Description

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

INFO

Published Date :

June 10, 2024, 4:15 p.m.

Last Modified :

Nov. 21, 2024, 9:23 a.m.

Remotely Exploitable :

Yes !

Impact Score :

5.8

Exploitability Score :

2.8
Public PoC/Exploit Available at Github

CVE-2024-37051 has a 2 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-37051 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Jetbrains intellij_idea
2 Jetbrains mps
3 Jetbrains goland
4 Jetbrains rubymine
5 Jetbrains phpstorm
6 Jetbrains pycharm
7 Jetbrains webstorm
8 Jetbrains rider
9 Jetbrains clion
10 Jetbrains aqua
11 Jetbrains datagrip
12 Jetbrains dataspell
13 Jetbrains rustrover
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-37051.

URL Resource
https://security.netapp.com/advisory/ntap-20240705-0004/
https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory
https://security.netapp.com/advisory/ntap-20240705-0004/
https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051)

Updated: 10 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : June 13, 2024, 9:15 a.m. This repo has been linked 1 different CVEs too.

CVE-2024-37051 poc and exploit

exploit payload cve-2024-37051

Updated: 5 months ago
30 stars 5 fork 5 watcher
Born at : June 11, 2024, 4:01 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-37051 vulnerability anywhere in the article.

  • Cybersecurity News
CVE-2025-22152 (CVSS 9.4): Severe Vulnerabilities Found in Atheos Web-Based IDE

A security advisory from the Atheos project has disclosed a critical vulnerability (CVE-2025-22152) that could compromise servers running the web-based IDE framework. With a CVSSv4 score of 9.4, this ... Read more

Published Date: Jan 13, 2025 (3 months, 2 weeks ago)

The following table lists the changes that have been made to the CVE-2024-37051 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://security.netapp.com/advisory/ntap-20240705-0004/
    Added Reference https://www.jetbrains.com/privacy-security/issues-fixed/
  • CVE Modified by [email protected]

    Jul. 05, 2024

    Action Type Old Value New Value
    Added Reference JetBrains s.r.o. https://security.netapp.com/advisory/ntap-20240705-0004/ [No types assigned]
  • CVE Modified by [email protected]

    Jun. 18, 2024

    Action Type Old Value New Value
  • Initial Analysis by [email protected]

    Jun. 12, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    Changed Reference Type https://www.jetbrains.com/privacy-security/issues-fixed/ No Types Assigned https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory
    Added CWE NIST CWE-522
    Added CPE Configuration OR *cpe:2.3:a:jetbrains:aqua:*:*:*:*:*:*:*:* versions up to (excluding) 2024.1.2 *cpe:2.3:a:jetbrains:clion:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.7 *cpe:2.3:a:jetbrains:clion:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.4 *cpe:2.3:a:jetbrains:clion:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.5 *cpe:2.3:a:jetbrains:clion:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:datagrip:*:*:*:*:*:*:*:* versions from (including) 2023.1.0 up to (excluding) 2023.1.3 *cpe:2.3:a:jetbrains:datagrip:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.4 *cpe:2.3:a:jetbrains:datagrip:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.5 *cpe:2.3:a:jetbrains:datagrip:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.4 *cpe:2.3:a:jetbrains:dataspell:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.6 *cpe:2.3:a:jetbrains:dataspell:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.7 *cpe:2.3:a:jetbrains:dataspell:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.6 *cpe:2.3:a:jetbrains:dataspell:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.2 *cpe:2.3:a:jetbrains:goland:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.6 *cpe:2.3:a:jetbrains:goland:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.7 *cpe:2.3:a:jetbrains:goland:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.7 *cpe:2.3:a:jetbrains:goland:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.7 *cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.7 *cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.7 *cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:mps:*:*:*:*:*:*:*:* versions up to (excluding) 2023.2.1 *cpe:2.3:a:jetbrains:mps:2023.3.0:*:*:*:*:*:*:* *cpe:2.3:a:jetbrains:phpstorm:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.6 *cpe:2.3:a:jetbrains:phpstorm:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.6 *cpe:2.3:a:jetbrains:phpstorm:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.7 *cpe:2.3:a:jetbrains:phpstorm:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:pycharm:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.6 *cpe:2.3:a:jetbrains:pycharm:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.7 *cpe:2.3:a:jetbrains:pycharm:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.6 *cpe:2.3:a:jetbrains:pycharm:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:rider:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.7 *cpe:2.3:a:jetbrains:rider:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.5 *cpe:2.3:a:jetbrains:rider:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.6 *cpe:2.3:a:jetbrains:rider:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:rubymine:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.7 *cpe:2.3:a:jetbrains:rubymine:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.7 *cpe:2.3:a:jetbrains:rubymine:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.7 *cpe:2.3:a:jetbrains:rubymine:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.3 *cpe:2.3:a:jetbrains:rustrover:*:*:*:*:*:*:*:* versions up to (excluding) 2024.1.1 *cpe:2.3:a:jetbrains:webstorm:*:*:*:*:*:*:*:* versions up to (excluding) 2023.1.6 *cpe:2.3:a:jetbrains:webstorm:*:*:*:*:*:*:*:* versions from (including) 2023.2.0 up to (excluding) 2023.2.7 *cpe:2.3:a:jetbrains:webstorm:*:*:*:*:*:*:*:* versions from (including) 2023.3.0 up to (excluding) 2023.3.7 *cpe:2.3:a:jetbrains:webstorm:*:*:*:*:*:*:*:* versions from (including) 2024.1.0 up to (excluding) 2024.1.4
  • CVE Received by [email protected]

    Jun. 10, 2024

    Action Type Old Value New Value
    Added Description GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
    Added Reference JetBrains s.r.o. https://www.jetbrains.com/privacy-security/issues-fixed/ [No types assigned]
    Added CWE JetBrains s.r.o. CWE-522
    Added CVSS V3.1 JetBrains s.r.o. AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-37051 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: Apr. 30, 2025 9:43