CVE-2024-9287

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-9287
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9287.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-9287
Aliases
Downstream
Related
Published
2024-10-22T17:15:06.697Z
Modified
2026-03-23T05:11:21.572296848Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type
GIT
Repo
https://github.com/python/cpython
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f3994ade31a563d49806cf6a681d1b1115fccaa3
Introduced
b494f5935c92951e75597bfe1c8b1f3112fec270
Fixed
890778604a8cc99f18ce07737b198a8031c91f8d
Introduced
deaf509e8fc6e0363bd6f26d52ad42f976ec42f2
Fixed
d03b868578a29d9d64f829459b584eed48862056
Introduced
0fb18b02c8ad56299d6a2910be0bab8ad601ef24
Fixed
2dc476bcb9142cd25d7e1d52392b73a3dcdf1756
Introduced
60403a5409ff2c3f3b07dd2ca91a7a3e096839c7
Fixed
067145177975eadd61a0c907d0d177f7b6a5a3de
Fixed
633555735a023d3e4d92ba31da35b1205f9ecbd7
Fixed
8450b2482586857d689b6658f08de9c8179af7db
Fixed
9286ab3a107ea41bd3f3c3682ce2512692bdded8
Fixed
ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
Fixed
d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
Fixed
e52095a0c1005a87eed2276af7a1f2f66e2b6483
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.9.21"
        },
        {
            "introduced": "3.10.0"
        },
        {
            "fixed": "3.10.16"
        },
        {
            "introduced": "3.11.0"
        },
        {
            "fixed": "3.11.11"
        },
        {
            "introduced": "3.12.0"
        },
        {
            "fixed": "3.12.8"
        },
        {
            "introduced": "3.13.0"
        },
        {
            "fixed": "3.13.1"
        }
    ]
}

Affected versions

v3.*
v3.10.0
v3.10.1
v3.10.10
v3.10.11
v3.10.12
v3.10.13
v3.10.14
v3.10.15
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.10.6
v3.10.7
v3.10.8
v3.10.9
v3.11.0
v3.11.1
v3.11.10
v3.11.2
v3.11.3
v3.11.4
v3.11.5
v3.11.6
v3.11.7
v3.11.8
v3.11.9
v3.12.0
v3.12.1
v3.12.2
v3.12.3
v3.12.4
v3.12.5
v3.12.6
v3.12.7
v3.13.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9287.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.14.0-alpha1"
            }
        ]
    }
]