CVE-2024-9287

Virtual environment (venv) activation scripts don't quote paths

Severity Score

5.3

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-09-27 CVE Reserved
2024-10-22 CVE Published
2024-11-04 CVE Updated
2024-11-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-428: Unquoted Search Path or Element

CAPEC

References (8)

URL	Tag	Source
https://github.com/python/cpython/issues/124651	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/pull/124712	2024-10-22
https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483	2024-11-04
https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7	2024-11-04
https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db	2024-11-04
https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8	2024-11-04
https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97	2024-11-04

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL	2024-10-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				<= 3.13.0 Search vendor "Python Software Foundation" for product "CPython" and version " <= 3.13.0"		en		Affected