Security-announce

Download

security-announce@python.org

October 2024

1 participants
1 discussions

[CVE-2024-9287] Virtual environment (venv) activation scripts don't quote paths
by Seth Larson Oct. 22, 2024

Oct. 22, 2024

There is a MEDIUM severity vulnerability affecting CPython. A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the virtual environment creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-9287 * https://github.com/python/cpython/pull/124712

1 0