FKIE_CVE-2024-9287

Vulnerability from fkie_nvd - Published: 2024-10-22 17:15 - Updated: 2025-11-03 23:17
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
References
cna@python.orghttps://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7Patch
cna@python.orghttps://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7dbPatch
cna@python.orghttps://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8Patch
cna@python.orghttps://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97Patch
cna@python.orghttps://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111bPatch
cna@python.orghttps://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483Patch
cna@python.orghttps://github.com/python/cpython/issues/124651Issue Tracking
cna@python.orghttps://github.com/python/cpython/pull/124712Issue Tracking, Patch
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20250425-0006/
Impacted products
Vendor Product Version
python python *
python python *
python python *
python python *
python python *
python python 3.14.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "33E41245-604A-4967-85A8-F3DC04E6D0CC",
              "versionEndExcluding": "3.9.21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B013F87A-0CEE-4DC1-AAFC-7EBDAC6576C5",
              "versionEndExcluding": "3.10.16",
              "versionStartIncluding": "3.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC875838-E29D-4D06-84DA-8F552FCFD726",
              "versionEndExcluding": "3.11.11",
              "versionStartIncluding": "3.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4899490-179B-4EB7-9713-912862F62B94",
              "versionEndExcluding": "3.12.8",
              "versionStartIncluding": "3.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B186E2B1-39FF-4264-AAC3-CF6D5E767F30",
              "versionEndExcluding": "3.13.1",
              "versionStartIncluding": "3.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.14.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "BAEA33EC-9685-4778-B77C-3E127BD31DB9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren\u0027t activated before being used (ie \"./venv/bin/python\") are not affected."
    },
    {
      "lang": "es",
      "value": " Se ha encontrado una vulnerabilidad en el m\u00f3dulo `venv` de CPython y en la CLI donde los nombres de ruta proporcionados al crear un entorno virtual no se citaban correctamente, lo que permit\u00eda al creador inyectar comandos en los scripts de \"activaci\u00f3n\" del entorno virtual (es decir, \"source venv/bin/activate\"). Esto significa que los entornos virtuales controlados por el atacante pueden ejecutar comandos cuando el entorno virtual est\u00e1 activado. Los entornos virtuales que no son creados por un atacante o que no se activan antes de ser utilizados (es decir, \"./venv/bin/python\") no se ven afectados."
    }
  ],
  "id": "CVE-2024-9287",
  "lastModified": "2025-11-03T23:17:33.603",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "GREEN",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@python.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-22T17:15:06.697",
  "references": [
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/python/cpython/issues/124651"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/python/cpython/pull/124712"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20250425-0006/"
    }
  ],
  "sourceIdentifier": "cna@python.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-428"
        }
      ],
      "source": "cna@python.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.