Virtual Environment Vulnerability Allows Command Injection
CVE-2024-9287

5.3MEDIUM

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
22 October 2024

Summary

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Affected Version(s)

CPython 0 < 3.9.21

CPython 3.10.0 < 3.10.16

CPython 3.11.0 < 3.11.11

References

https://github.com/python/cpython/issues/124651
issue-tracking
https://github.com/python/cpython/pull/124712
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

.