CVE-2024-9287

Public on 2024-10-22
Modified on 2024-10-29
Description
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core python Not Affected
Amazon Linux 1 python27 Not Affected
Amazon Linux 2 - Core python3 Pending Fix
Amazon Linux 2023 python3.11 Pending Fix
Amazon Linux 2023 python3.9 Pending Fix
Amazon Linux 1 python38 No Fix Planned

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.8 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N