A critical security vulnerability (CVE-2022-24345) was recently discovered in JetBrains IntelliJ IDEA versions before 2021.2.4. This vulnerability allows an attacker to execute local code on a victim's machine without their permission simply by opening a project. In this post, we will be discussing the details of this vulnerability, including the affected IntelliJ IDEA versions, how this exploit works, how to mitigate the vulnerability, and links to original references.
Affected IntelliJ IDEA Versions
The vulnerability affects JetBrains IntelliJ IDEA versions before 2021.2.4. Users running older versions are advised to upgrade to mitigate this risk.
Exploit Details
The vulnerability exists within IntelliJ IDEA's project management functionality when opening a project, which allows arbitrary code to be executed upon opening the project. This means that an attacker could potentially embed malicious code within a project file and, when shared with a user running a vulnerable version of IntelliJ IDEA, that code would be executed without any permissions asked from the user.
The following code snippet illustrates the vulnerable portion of the code, where the execution of the malicious code takes place without first checking for user permissions:
public void openProject(String projectFile) {
...
// Load project configuration
ProjectConfiguration configuration = ProjectConfiguration.load(projectFile);
// Execute the embedded code (Vulnerable part)
executeEmbeddedCode(configuration.getEmbeddedCode());
...
}
Mitigation
The mitigation for this vulnerability is to update your JetBrains IntelliJ IDEA to version 2021.2.4 or later. The fix provided by JetBrains involves adding the necessary user permission checks before executing any code from a project file. Here's how the code has been changed to ensure user permission is checked before executing any embedded code:
public void openProject(String projectFile) {
...
// Load project configuration
ProjectConfiguration configuration = ProjectConfiguration.load(projectFile);
// Check user permissions before executing the embedded code (Fix)
if (checkUserPermissionToExecute(configuration.getEmbeddedCode())) {
executeEmbeddedCode(configuration.getEmbeddedCode());
}
...
}
Original References
1. JetBrains Security Bulletin: https://blog.jetbrains.com/blog/2021/11/23/security-update-for-intellij-idea-2021-2-4/
2. NIST National Vulnerability Database (CVE-2022-24345): https://nvd.nist.gov/vuln/detail/CVE-2022-24345
3. Mitre CVE Entry (CVE-2022-24345): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24345
Conclusion
The CVE-2022-24345 vulnerability in JetBrains IntelliJ IDEA versions before 2021.2.4 is a critical security risk that allows unauthorized local code execution simply by opening a project. Users are strongly urged to update their IntelliJ IDEA to the latest version to protect themselves from this vulnerability.
Timeline
Published on: 02/25/2022 15:15:00 UTC
Last modified on: 03/04/2022 20:45:00 UTC