CVE-2024-9287

Description

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

CVSS Metrics

• v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green
• v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.06%• Percentile: 19%

Techniques & Countermeasures

• CWE-428•Unquoted Search Path or Element

  The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

• CWE-77•Improper Neutralization of Special Elements used in a Command ('Command Injection')

  The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

• python software foundation•cpython

  < 3.9.21 | ≥ 3.10.0, < 3.10.16 | ≥ 3.11.0, < 3.11.11 | ≥ 3.12.0, < 3.12.8 | ≥ 3.13.0, < 3.13.1 | ≥ 3.14.0a1, < 3.14.0a2

• python•python

  < 3.9.21 | ≥ 3.10.0, < 3.10.16 | ≥ 3.11.0, < 3.11.11 | ≥ 3.12.0, < 3.12.8 | ≥ 3.13.0, < 3.13.1 | 3.14.0:alpha1

References (12)

• https://github.com/python/cpython/issues/124651
• https://github.com/python/cpython/pull/124712
• https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
• https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
• https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
• https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
• https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
• https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
• https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
• https://security.netapp.com/advisory/ntap-20250425-0006/
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html