CVE-2024-53899

EUVD-2024-0172
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
Command Injection
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
virtualenvvirtualenv
𝑥
< 20.26.6
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
virtualenvvirtualenv
𝑥
< 20.26.6
ADP
Debian logo
Debian Releases
Debian Product
Codename
python-virtualenv
bookworm
no-dsa
bullseye
postponed
forky
20.35.4+ds-1
fixed
sid
20.35.4+ds-1
fixed
trixie
20.31.2+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-virtualenv
bionic
not-affected
focal
Fixed 20.0.17-1ubuntu0.4+esm1
released
jammy
Fixed 20.13.0+ds-2ubuntu0.1~esm1
released
noble
Fixed 20.25.0+ds-2ubuntu0.1~esm1
released
oracular
ignored
plucky
not-affected
questing
not-affected
trusty
needs-triage
xenial
not-affected
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
python3-virtualenv
Amazon Linux 2023
0:20.4.0-3.amzn2023.0.4
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
python-virtualenv
Azure Linux 3.0
0:20.25.0-3.azl3
fixed
CBL-Mariner 2.0
0:20.26.6-1.cm2
fixed