CVE-2024-9287
5.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green
Summary
A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | 0 < 3.9.21 | affected |
| Python Software Foundation | CPython | 3.10.0 < 3.10.16 | affected |
| Python Software Foundation | CPython | 3.11.0 < 3.11.11 | affected |
| Python Software Foundation | CPython | 3.12.0 < 3.12.8 | affected |
| Python Software Foundation | CPython | 3.13.0 < 3.13.1 | affected |
| Python Software Foundation | CPython | 3.14.0a1 < 3.14.0a2 | affected |
Weaknesses
- CWE-428: CWE-428 Unquoted Search Path or Element
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://security.netapp.com/advisory/ntap-20250425-0006/
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
References
- https://github.com/python/cpython/issues/124651
- https://github.com/python/cpython/pull/124712
- https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
- https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
- https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
- https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
- https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
- https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
- https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.