CVE-2024-9287

EUVD-2024-50376
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
pythonpython
𝑥
< 3.9.21
pythonpython
3.10.0 ≤
𝑥
< 3.10.16
pythonpython
3.11.0 ≤
𝑥
< 3.11.11
pythonpython
3.12.0 ≤
𝑥
< 3.12.8
pythonpython
3.13.0 ≤
𝑥
< 3.13.1
pythonpython
3.14.0:alpha1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bookworm
7.3.11+dfsg-2+deb12u3
fixed
bullseye
vulnerable
bullseye (security)
7.3.5+dfsg-2+deb11u5
fixed
forky
7.3.20+dfsg-4
fixed
sid
7.3.20+dfsg-4
fixed
trixie
7.3.19+dfsg-2
fixed
python2.7
bullseye
2.7.18-8+deb11u1
fixed
python3.11
bookworm
3.11.2-6+deb12u6
fixed
bookworm (security)
vulnerable
python3.13
forky
3.13.11-1
fixed
sid
3.13.11-1
fixed
trixie
3.13.5-2
fixed
python3.9
bullseye
vulnerable
bullseye (security)
3.9.2-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
not-affected
xenial
not-affected
python3.4
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm14
released
python3.5
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm4
released
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm16
released
python3.6
bionic
Fixed 3.6.9-1~18.04ubuntu1.13+esm3
released
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.7
bionic
Fixed 3.7.5-2ubuntu1~18.04.2+esm4
released
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.8
bionic
Fixed 3.8.0-3ubuntu1~18.04.2+esm3
released
focal
Fixed 3.8.10-0ubuntu1~20.04.16
released
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.9
focal
Fixed 3.9.5-3ubuntu0~20.04.1+esm3
released
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.10
focal
dne
jammy
Fixed 3.10.12-1~22.04.7
released
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.11
focal
dne
jammy
Fixed 3.11.0~rc1-1~22.04.1~esm2
released
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.12
focal
dne
jammy
dne
noble
Fixed 3.12.3-1ubuntu0.3
released
oracular
Fixed 3.12.7-1ubuntu1
released
plucky
dne
questing
dne
python3.13
focal
dne
jammy
dne
noble
dne
oracular
Fixed 3.13.0-1ubuntu0.1
released
plucky
not-affected
questing
not-affected
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
https://github.com/python/cpython/issues/124651
https://github.com/python/cpython/pull/124712
https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://security.netapp.com/advisory/ntap-20250425-0006/