cve-2024-9287
Vulnerability from cvelistv5
Published
2024-10-22 16:34
Modified
2025-01-31 19:55
Severity ?
5.3 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green
Summary
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
References
cna@python.orghttps://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7Patch
cna@python.orghttps://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7dbPatch
cna@python.orghttps://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8Patch
cna@python.orghttps://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97Patch
cna@python.orghttps://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111bPatch
cna@python.orghttps://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483Patch
cna@python.orghttps://github.com/python/cpython/issues/124651Issue Tracking
cna@python.orghttps://github.com/python/cpython/pull/124712Issue Tracking, Patch
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/Vendor Advisory
Impacted products
Vendor Product Version
Python Software Foundation CPython Version: 0
Version: 3.10.0
Version: 3.11.0
Version: 3.12.0
Version: 3.13.0
Version: 3.14.0a1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "cpython",
                  vendor: "python",
                  versions: [
                     {
                        lessThanOrEqual: "3.13.0",
                        status: "affected",
                        version: "0",
                        versionType: "python",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-9287",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-22T17:11:46.736068Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-22T17:13:32.968Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               modules: [
                  "venv",
               ],
               product: "CPython",
               repo: "https://github.com/python/cpython",
               vendor: "Python Software Foundation",
               versions: [
                  {
                     lessThan: "3.9.21",
                     status: "affected",
                     version: "0",
                     versionType: "python",
                  },
                  {
                     lessThan: "3.10.16",
                     status: "affected",
                     version: "3.10.0",
                     versionType: "python",
                  },
                  {
                     lessThan: "3.11.11",
                     status: "affected",
                     version: "3.11.0",
                     versionType: "python",
                  },
                  {
                     lessThan: "3.12.8",
                     status: "affected",
                     version: "3.12.0",
                     versionType: "python",
                  },
                  {
                     lessThan: "3.13.1",
                     status: "affected",
                     version: "3.13.0",
                     versionType: "python",
                  },
                  {
                     lessThan: "3.14.0a2",
                     status: "affected",
                     version: "3.14.0a1",
                     versionType: "python",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.<br>",
                  },
               ],
               value: "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.",
            },
         ],
         metrics: [
            {
               cvssV4_0: {
                  Automatable: "NOT_DEFINED",
                  Recovery: "NOT_DEFINED",
                  Safety: "NOT_DEFINED",
                  attackComplexity: "LOW",
                  attackRequirements: "PRESENT",
                  attackVector: "LOCAL",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  privilegesRequired: "HIGH",
                  providerUrgency: "GREEN",
                  subAvailabilityImpact: "NONE",
                  subConfidentialityImpact: "NONE",
                  subIntegrityImpact: "NONE",
                  userInteraction: "ACTIVE",
                  valueDensity: "NOT_DEFINED",
                  vectorString: "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green",
                  version: "4.0",
                  vulnAvailabilityImpact: "NONE",
                  vulnConfidentialityImpact: "HIGH",
                  vulnIntegrityImpact: "HIGH",
                  vulnerabilityResponseEffort: "NOT_DEFINED",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-428",
                     description: "CWE-428 Unquoted Search Path or Element",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-01-31T19:55:27.648Z",
            orgId: "28c92f92-d60d-412d-b760-e73465c3df22",
            shortName: "PSF",
         },
         references: [
            {
               tags: [
                  "issue-tracking",
               ],
               url: "https://github.com/python/cpython/issues/124651",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/pull/124712",
            },
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97",
            },
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Virtual environment (venv) activation scripts don't quote paths",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "28c92f92-d60d-412d-b760-e73465c3df22",
      assignerShortName: "PSF",
      cveId: "CVE-2024-9287",
      datePublished: "2024-10-22T16:34:39.210Z",
      dateReserved: "2024-09-27T14:48:44.181Z",
      dateUpdated: "2025-01-31T19:55:27.648Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \\\"activation\\\" scripts (ie \\\"source venv/bin/activate\\\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \\\"./venv/bin/python\\\") are not affected.\"}, {\"lang\": \"es\", \"value\": \" Se ha encontrado una vulnerabilidad en el m\\u00f3dulo `venv` de CPython y en la CLI donde los nombres de ruta proporcionados al crear un entorno virtual no se citaban correctamente, lo que permit\\u00eda al creador inyectar comandos en los scripts de \\\"activaci\\u00f3n\\\" del entorno virtual (es decir, \\\"source venv/bin/activate\\\"). Esto significa que los entornos virtuales controlados por el atacante pueden ejecutar comandos cuando el entorno virtual est\\u00e1 activado. Los entornos virtuales que no son creados por un atacante o que no se activan antes de ser utilizados (es decir, \\\"./venv/bin/python\\\") no se ven afectados.\"}]",
         id: "CVE-2024-9287",
         lastModified: "2024-11-04T18:15:05.627",
         metrics: "{\"cvssMetricV40\": [{\"source\": \"cna@python.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"ACTIVE\", \"vulnerableSystemConfidentiality\": \"HIGH\", \"vulnerableSystemIntegrity\": \"HIGH\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"GREEN\"}}]}",
         published: "2024-10-22T17:15:06.697",
         references: "[{\"url\": \"https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7\", \"source\": \"cna@python.org\"}, {\"url\": \"https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db\", \"source\": \"cna@python.org\"}, {\"url\": \"https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8\", \"source\": \"cna@python.org\"}, {\"url\": \"https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97\", \"source\": \"cna@python.org\"}, {\"url\": \"https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483\", \"source\": \"cna@python.org\"}, {\"url\": \"https://github.com/python/cpython/issues/124651\", \"source\": \"cna@python.org\"}, {\"url\": \"https://github.com/python/cpython/pull/124712\", \"source\": \"cna@python.org\"}, {\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/\", \"source\": \"cna@python.org\"}]",
         sourceIdentifier: "cna@python.org",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"cna@python.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-428\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-9287\",\"sourceIdentifier\":\"cna@python.org\",\"published\":\"2024-10-22T17:15:06.697\",\"lastModified\":\"2025-02-10T18:47:16.547\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \\\"activation\\\" scripts (ie \\\"source venv/bin/activate\\\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \\\"./venv/bin/python\\\") are not affected.\"},{\"lang\":\"es\",\"value\":\" Se ha encontrado una vulnerabilidad en el módulo `venv` de CPython y en la CLI donde los nombres de ruta proporcionados al crear un entorno virtual no se citaban correctamente, lo que permitía al creador inyectar comandos en los scripts de \\\"activación\\\" del entorno virtual (es decir, \\\"source venv/bin/activate\\\"). Esto significa que los entornos virtuales controlados por el atacante pueden ejecutar comandos cuando el entorno virtual está activado. Los entornos virtuales que no son creados por un atacante o que no se activan antes de ser utilizados (es decir, \\\"./venv/bin/python\\\") no se ven afectados.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@python.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"ACTIVE\",\"vulnerableSystemConfidentiality\":\"HIGH\",\"vulnerableSystemIntegrity\":\"HIGH\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"GREEN\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cna@python.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-428\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.9.21\",\"matchCriteriaId\":\"33E41245-604A-4967-85A8-F3DC04E6D0CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.10.0\",\"versionEndExcluding\":\"3.10.16\",\"matchCriteriaId\":\"B013F87A-0CEE-4DC1-AAFC-7EBDAC6576C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.11.0\",\"versionEndExcluding\":\"3.11.11\",\"matchCriteriaId\":\"DC875838-E29D-4D06-84DA-8F552FCFD726\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.12.0\",\"versionEndExcluding\":\"3.12.8\",\"matchCriteriaId\":\"D4899490-179B-4EB7-9713-912862F62B94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.13.0\",\"versionEndExcluding\":\"3.13.1\",\"matchCriteriaId\":\"B186E2B1-39FF-4264-AAC3-CF6D5E767F30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:python:3.14.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"BAEA33EC-9685-4778-B77C-3E127BD31DB9\"}]}]}],\"references\":[{\"url\":\"https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7\",\"source\":\"cna@python.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db\",\"source\":\"cna@python.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8\",\"source\":\"cna@python.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97\",\"source\":\"cna@python.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b\",\"source\":\"cna@python.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483\",\"source\":\"cna@python.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/python/cpython/issues/124651\",\"source\":\"cna@python.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/python/cpython/pull/124712\",\"source\":\"cna@python.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/\",\"source\":\"cna@python.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9287\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T17:11:46.736068Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*\"], \"vendor\": \"python\", \"product\": \"cpython\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"python\", \"lessThanOrEqual\": \"3.13.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T17:13:06.936Z\"}}], \"cna\": {\"title\": \"Virtual environment (venv) activation scripts don't quote paths\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green\", \"providerUrgency\": \"GREEN\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/python/cpython\", \"vendor\": \"Python Software Foundation\", \"modules\": [\"venv\"], \"product\": \"CPython\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.9.21\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.10.0\", \"lessThan\": \"3.10.16\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.11.0\", \"lessThan\": \"3.11.11\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.12.0\", \"lessThan\": \"3.12.8\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.13.0\", \"lessThan\": \"3.13.1\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.14.0a1\", \"lessThan\": \"3.14.0a2\", \"versionType\": \"python\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/python/cpython/issues/124651\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/python/cpython/pull/124712\", \"tags\": [\"patch\"]}, {\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \\\"activation\\\" scripts (ie \\\"source venv/bin/activate\\\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \\\"./venv/bin/python\\\") are not affected.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \\\"activation\\\" scripts (ie \\\"source venv/bin/activate\\\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \\\"./venv/bin/python\\\") are not affected.<br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-428\", \"description\": \"CWE-428 Unquoted Search Path or Element\"}]}], \"providerMetadata\": {\"orgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"shortName\": \"PSF\", \"dateUpdated\": \"2025-01-31T19:55:27.648Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-9287\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-31T19:55:27.648Z\", \"dateReserved\": \"2024-09-27T14:48:44.181Z\", \"assignerOrgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"datePublished\": \"2024-10-22T16:34:39.210Z\", \"assignerShortName\": \"PSF\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.