CVE-2022-48433
📋 TL;DR
This vulnerability allows attackers to obtain NTLM password hashes through the built-in web server API in JetBrains IntelliJ IDEA. It affects users running vulnerable versions of IntelliJ IDEA who have the built-in web server enabled. The leaked hashes could be used for credential theft or pass-the-hash attacks.
💻 Affected Systems
- JetBrains IntelliJ IDEA
📦 What is this software?
Intellij Idea by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain NTLM hashes and use them for lateral movement within the network, potentially compromising multiple systems through pass-the-hash attacks.
Likely Case
Local attackers or malware on the same system extract NTLM hashes, leading to credential theft and potential privilege escalation.
If Mitigated
With proper network segmentation and least privilege access, impact is limited to the local development environment.
🎯 Exploit Status
Exploitation requires access to the web server API endpoint. No authentication bypass is needed beyond reaching the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.1 and later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Open IntelliJ IDEA. 2. Go to Help > Check for Updates. 3. Install version 2023.1 or later. 4. Restart IntelliJ IDEA.
🔧 Temporary Workarounds
Disable Built-in Web Server
allPrevent hash leakage by disabling the vulnerable web server component
Go to Settings/Preferences > Build, Execution, Deployment > Debugger > Built-in server and disable 'Allow unsigned requests' or disable the server entirely
Restrict Network Access
allLimit web server access to localhost only
Configure firewall to block external access to port 63342 (default web server port)
🧯 If You Can't Patch
- Disable the built-in web server in IntelliJ IDEA settings
- Implement network segmentation to isolate development machines from production systems
🔍 How to Verify
Check if Vulnerable:
Check IntelliJ IDEA version in Help > About. If version is below 2023.1, the system is vulnerable.Check Version:
On Windows: 'idea.exe --version' or check Help > About in the IDEVerify Fix Applied:
Verify version is 2023.1 or higher in Help > About. Test that built-in web server still functions for development needs.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to built-in web server API endpoints
- Multiple failed authentication attempts following web server access
Network Indicators:
- Unexpected external connections to port 63342
- NTLM authentication traffic from development workstations
SIEM Query:
source="intellij.log" AND "Built-in server" AND ("NTLM" OR "hash" OR "authentication")