GHSA-rqc4-2hc7-8c8v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rqc4-2hc7-8c8v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-rqc4-2hc7-8c8v/GHSA-rqc4-2hc7-8c8v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rqc4-2hc7-8c8v
- Aliases
- Published
- 2024-11-24T18:31:39Z
- Modified
- 2025-01-21T18:19:55.918532Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- virtualenv allows command injection through activation scripts for a virtual environment
- Details
-
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
- Database specific
{ "nvd_published_at": "2024-11-24T16:15:06Z", "cwe_ids": [ "CWE-77", "CWE-78" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-01-13T17:01:51Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-53899
- https://github.com/pypa/virtualenv/issues/2768
- https://github.com/pypa/virtualenv/pull/2771
- https://github.com/pypa/advisory-database/tree/main/vulns/virtualenv/PYSEC-2024-187.yaml
- https://github.com/pypa/virtualenv
- https://github.com/pypa/virtualenv/releases/tag/20.26.6
Affected packages
PyPI / virtualenv
Package
- Name
- virtualenv
- View open source insights on deps.dev
- Purl
- pkg:pypi/virtualenv
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed20.26.6
Affected versions
0.*
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.9
0.9.1
0.9.2
1.*
1.0
1.1
1.2
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.4rc1
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5
1.5.1
1.5.2
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.7
1.7.1
1.7.1.1
1.7.1.2
1.7.2
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.9
1.9.1
1.10
1.10.1
1.11
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
12.*
12.0
12.0.1
12.0.2
12.0.4
12.0.5
12.0.6
12.0.7
12.1.0
12.1.1
13.*
13.0.0
13.0.1
13.0.2
13.0.3
13.1.0
13.1.1
13.1.2
14.*
14.0.0
14.0.1
14.0.2
14.0.3
14.0.4
14.0.5
14.0.6
15.*
15.0.0
15.0.1
15.0.2
15.0.3
15.1.0
15.2.0
16.*
16.0.0
16.1.0
16.2.0
16.3.0
16.3.1.dev0
16.4.0
16.4.1
16.4.3
16.4.4.dev0
16.5.0
16.6.0
16.6.1
16.6.2
16.7.0
16.7.1
16.7.2
16.7.3
16.7.4
16.7.5
16.7.6
16.7.7
16.7.8
16.7.9
16.7.10
16.7.11
16.7.12
20.*
20.0.0b1
20.0.0b2
20.0.0
20.0.1
20.0.2
20.0.3
20.0.4
20.0.5
20.0.6
20.0.7
20.0.8
20.0.9
20.0.10
20.0.11
20.0.12
20.0.13
20.0.14
20.0.15
20.0.16
20.0.17
20.0.18
20.0.19
20.0.20
20.0.21
20.0.22
20.0.23
20.0.24
20.0.25
20.0.26
20.0.27
20.0.28
20.0.29
20.0.30
20.0.31
20.0.32
20.0.33
20.0.34
20.0.35
20.1.0
20.2.0
20.2.1
20.2.2
20.3.0
20.3.1
20.4.0
20.4.1
20.4.2
20.4.3
20.4.4
20.4.5
20.4.6
20.4.7
20.5.0
20.6.0
20.7.0
20.7.1
20.7.2
20.8.0
20.8.1
20.9.0
20.10.0
20.11.0
20.11.1
20.11.2
20.12.0
20.12.1
20.13.0
20.13.1
20.13.2
20.13.3
20.13.4
20.14.0
20.14.1
20.15.0
20.15.1
20.16.0
20.16.1
20.16.2
20.16.3
20.16.4
20.16.5
20.16.6
20.16.7
20.17.0
20.17.1
20.18.0
20.19.0
20.20.0
20.21.0
20.21.1
20.22.0
20.23.0
20.23.1
20.24.0
20.24.1
20.24.2
20.24.3
20.24.4
20.24.5
20.24.6
20.24.7
20.25.0
20.25.1
20.25.2
20.25.3
20.26.0
20.26.1
20.26.2
20.26.3
20.26.4
20.26.5