CVE-2024-9287

HIGH7.8EPSS 0.06%

Virtual environment (venv) activation scripts don't quote paths

Published: 10/22/2024Modified: 4/28/2026

Description

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Affected packages (8)

Alpine/python3from 0, < 3.11.11-r0
Bitnami/libpythonfrom 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
Bitnami/pythonfrom 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
Bitnami/python-minfrom 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
Debian/pypy3from 0, < 7.3.5+dfsg-2+deb11u4
Debian/python3.11from 0, < 3.11.2-6+deb12u5
Debian/python3.13from 0, < 3.13.1-1
Debian/python3.9from 0, < 3.9.2-1+deb11u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Affected packages (8)

CVSS scores

References (15)