CVE-2024-9287
Virtual environment (venv) activation scripts don't quote paths
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
A vulnerability has been found in the Python `venv` module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated.
It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered “private” or “globally reachable”. This could possibly result in applications applying incorrect security policies. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. It was discovered that Python incorrectly handled quoting path names when using the venv module. A local attacker able to control virtual environments could possibly use this issue to execute arbitrary code when the virtual environment is activated.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-09-27 CVE Reserved
- 2024-10-22 CVE Published
- 2025-01-31 CVE Updated
- 2025-04-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-428: Unquoted Search Path or Element
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://github.com/python/cpython/issues/124651 | Issue Tracking |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | < 3.9.21 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.9.21" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.10.0 < 3.10.16 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.10.0 < 3.10.16" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.11.0 < 3.11.11 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.11.0 < 3.11.11" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.12.0 < 3.12.8 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.12.0 < 3.12.8" | en |
Affected
| ||||||
| Python Software Foundation Search vendor "Python Software Foundation" | CPython Search vendor "Python Software Foundation" for product "CPython" | >= 3.13.0 < 3.13.1 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.13.0 < 3.13.1" | en |
Affected
| ||||||