CVE-2024-9287

NameCVE-2024-9287
DescriptionA vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pypy (PTS)jessie2.4.0+dfsg-3fixed
stretch5.6.0+dfsg-4fixed
buster7.0.0+dfsg-3fixed
bullseye7.3.3+dfsg-2fixed
python2.7 (PTS)jessie, jessie (lts)2.7.9-2-ds1-1+deb8u12fixed
stretch (security)2.7.13-2+deb9u6fixed
stretch (lts), stretch2.7.13-2+deb9u9fixed
buster (security), buster, buster (lts)2.7.16-2+deb10u4fixed
bullseye2.7.18-8+deb11u1fixed
python3.11 (PTS)bookworm3.11.2-6+deb12u4vulnerable
bookworm (security)3.11.2-6+deb12u3vulnerable
python3.12 (PTS)sid, trixie3.12.7-3vulnerable
python3.13 (PTS)sid, trixie3.13.0-2vulnerable
python3.4 (PTS)jessie, jessie (lts)3.4.2-1+deb8u18vulnerable
python3.5 (PTS)stretch (security)3.5.3-1+deb9u5vulnerable
stretch (lts), stretch3.5.3-1+deb9u10vulnerable
python3.7 (PTS)buster, buster (lts)3.7.3-2+deb10u8vulnerable
buster (security)3.7.3-2+deb10u7vulnerable
python3.9 (PTS)bullseye3.9.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pypysource(unstable)(not affected)
python2.7source(unstable)(not affected)
python3.11source(unstable)(unfixed)
python3.12source(unstable)(unfixed)
python3.13source(unstable)(unfixed)
python3.4source(unstable)(unfixed)
python3.5source(unstable)(unfixed)
python3.7source(unstable)(unfixed)
python3.9source(unstable)(unfixed)

Notes

- python2.7 <not-affected> (Vulnerable code not present)
https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
https://github.com/python/cpython/pull/124712
https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483 (3.13-branch)
https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db (3.12-branch)
https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97 (3.11-branch)
https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7 (3.9-branch)
- pypy <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems