CVE-2024-9287

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
PSFCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
VendorProductVersion
pythonpython
𝑥
< 3.9.21
pythonpython
3.10.0 ≤
𝑥
< 3.10.16
pythonpython
3.11.0 ≤
𝑥
< 3.11.11
pythonpython
3.12.0 ≤
𝑥
< 3.12.8
pythonpython
3.13.0 ≤
𝑥
< 3.13.1
pythonpython
3.14.0:alpha1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bullseye
vulnerable
bullseye (security)
7.3.5+dfsg-2+deb11u4
fixed
bookworm
7.3.11+dfsg-2+deb12u3
fixed
sid
7.3.19+dfsg-2
fixed
trixie
7.3.19+dfsg-2
fixed
python2.7
bullseye
2.7.18-8+deb11u1
fixed
python3.11
bookworm
3.11.2-6+deb12u6
fixed
bookworm (security)
vulnerable
python3.12
sid
3.12.10-1
fixed
python3.13
trixie
3.13.3-2
fixed
sid
3.13.3-4
fixed
python3.9
bullseye
vulnerable
bullseye (security)
3.9.2-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
plucky
dne
oracular
dne
noble
dne
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
python3.10
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.10.12-1~22.04.7
released
focal
dne
python3.11
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.11.0~rc1-1~22.04.1~esm2
released
focal
dne
python3.12
plucky
dne
oracular
Fixed 3.12.7-1ubuntu1
released
noble
Fixed 3.12.3-1ubuntu0.3
released
jammy
dne
focal
dne
python3.13
plucky
not-affected
oracular
Fixed 3.13.0-1ubuntu0.1
released
noble
dne
jammy
dne
focal
dne
python3.4
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm14
released
python3.5
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm16
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm4
released
python3.6
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.13+esm3
released
python3.7
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 3.7.5-2ubuntu1~18.04.2+esm4
released
python3.8
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.8.10-0ubuntu1~20.04.16
released
bionic
Fixed 3.8.0-3ubuntu1~18.04.2+esm3
released
python3.9
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.9.5-3ubuntu0~20.04.1+esm3
released
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
https://github.com/python/cpython/issues/124651
https://github.com/python/cpython/pull/124712
https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
https://security.netapp.com/advisory/ntap-20250425-0006/