PyCharm Community, Professional: Remote code execution — GLSA 202107-45

A vulnerability has been found in PyCharm Community and Professional, potentially resulting in arbitrary code execution.

Affected packages

dev-util/pycharm-community on all architectures
Affected versions < 2021.1.2
Unaffected versions >= 2021.1.2
dev-util/pycharm-professional on all architectures
Affected versions < 2021.1.2
Unaffected versions >= 2021.1.2

Background

PyCharm is the Python IDE for professional developers.

Description

Insufficient validation exists within PyCharm’s checks for fetching projects from VCS.

Impact

If a victim can be enticed into fetching a VCS project via PyCharm, a remote attacker could achieve remote code execution.

Workaround

There is no known workaround at this time.

Resolution

All PyCharm Community users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-util/pycharm-community-2021.1.2"
 

All PyCharm Professional users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=dev-util/pycharm-professional-2021.1.2"
 

References

Release date
July 20, 2021

Latest revision
July 20, 2021: 1

Severity
normal

Exploitable
remote

Bugzilla entries