CVE-2024-9287
Nov. 4, 2024, 6:15 p.m.
None
No Score
Description
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Product(s) Impacted
| Product | Versions |
|---|---|
| CPython |
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-428
Unquoted Search Path or Element
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
References
Tags
Timeline
Published: Oct. 22, 2024, 5:15 p.m.
Last Modified: Nov. 4, 2024, 6:15 p.m.
Last Modified: Nov. 4, 2024, 6:15 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cna@python.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.