{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-9287", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2024-09-27T14:48:44.181Z", "datePublished": "2024-10-22T16:34:39.210Z", "dateUpdated": "2025-11-03T22:33:21.116Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["venv"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.9.21", "status": "affected", "versionType": "python"}, {"version": "3.10.0", "lessThan": "3.10.16", "status": "affected", "versionType": "python"}, {"version": "3.11.0", "lessThan": "3.11.11", "status": "affected", "versionType": "python"}, {"version": "3.12.0", "lessThan": "3.12.8", "status": "affected", "versionType": "python"}, {"version": "3.13.0", "lessThan": "3.13.1", "status": "affected", "versionType": "python"}, {"version": "3.14.0a1", "lessThan": "3.14.0a2", "status": "affected", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.<br>"}], "value": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-428", "description": "CWE-428 Unquoted Search Path or Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2025-01-31T19:55:27.648Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/124651"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/124712"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b"}], "source": {"discovery": "UNKNOWN"}, "title": "Virtual environment (venv) activation scripts don't quote paths", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "python", "product": "cpython", "cpes": ["cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.13.0", "versionType": "python"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-22T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-9287"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T03:55:30.029Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250425-0006/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:33:21.116Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250425-0006/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:33:21.116Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9287", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-22T17:11:46.736068Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"], "vendor": "python", "product": "cpython", "versions": [{"status": "affected", "version": "0", "versionType": "python", "lessThanOrEqual": "3.13.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T17:13:06.936Z"}}], "cna": {"title": "Virtual environment (venv) activation scripts don't quote paths", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green", "providerUrgency": "GREEN", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "modules": ["venv"], "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.21", "versionType": "python"}, {"status": "affected", "version": "3.10.0", "lessThan": "3.10.16", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.11", "versionType": "python"}, {"status": "affected", "version": "3.12.0", "lessThan": "3.12.8", "versionType": "python"}, {"status": "affected", "version": "3.13.0", "lessThan": "3.13.1", "versionType": "python"}, {"status": "affected", "version": "3.14.0a1", "lessThan": "3.14.0a2", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/issues/124651", "tags": ["issue-tracking"]}, {"url": "https://github.com/python/cpython/pull/124712", "tags": ["patch"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-428", "description": "CWE-428 Unquoted Search Path or Element"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2025-01-31T19:55:27.648Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9287", "state": "PUBLISHED", "dateUpdated": "2025-11-03T22:33:21.116Z", "dateReserved": "2024-09-27T14:48:44.181Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2024-10-22T16:34:39.210Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "33E41245-604A-4967-85A8-F3DC04E6D0CC", "versionEndExcluding": "3.9.21", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "B013F87A-0CEE-4DC1-AAFC-7EBDAC6576C5", "versionEndExcluding": "3.10.16", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC875838-E29D-4D06-84DA-8F552FCFD726", "versionEndExcluding": "3.11.11", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4899490-179B-4EB7-9713-912862F62B94", "versionEndExcluding": "3.12.8", "versionStartIncluding": "3.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "B186E2B1-39FF-4264-AAC3-CF6D5E767F30", "versionEndExcluding": "3.13.1", "versionStartIncluding": "3.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.14.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "BAEA33EC-9685-4778-B77C-3E127BD31DB9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected."}, {"lang": "es", "value": " Se ha encontrado una vulnerabilidad en el m\u00f3dulo `venv` de CPython y en la CLI donde los nombres de ruta proporcionados al crear un entorno virtual no se citaban correctamente, lo que permit\u00eda al creador inyectar comandos en los scripts de \"activaci\u00f3n\" del entorno virtual (es decir, \"source venv/bin/activate\"). Esto significa que los entornos virtuales controlados por el atacante pueden ejecutar comandos cuando el entorno virtual est\u00e1 activado. Los entornos virtuales que no son creados por un atacante o que no se activan antes de ser utilizados (es decir, \"./venv/bin/python\") no se ven afectados."}], "id": "CVE-2024-9287", "lastModified": "2025-11-03T23:17:33.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2024-10-22T17:15:06.697", "references": [{"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483"}, {"source": "cna@python.org", "tags": ["Issue Tracking"], "url": "https://github.com/python/cpython/issues/124651"}, {"source": "cna@python.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/python/cpython/pull/124712"}, {"source": "cna@python.org", "tags": ["Vendor Advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250425-0006/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "cna@python.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10779", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-69.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10979", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.11-0:3.11.11-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10980", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.12-0:3.12.8-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10779", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-69.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10978", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.12-0:3.12.5-2.el9_5.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10983", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.9-0:3.9.21-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:11111", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.11-0:3.11.9-7.el9_5.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:10983", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "python3.9-0:3.9.21-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:11024", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "python3.9-0:3.9.18-3.el9_4.7", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:11035", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "python3.12-0:3.12.1-4.el9_4.5", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-13T00:00:00Z"}, {"advisory": "RHSA-2025:0280", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "python3.11-0:3.11.7-1.el9_4.7", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-01-13T00:00:00Z"}], "bugzilla": {"description": "python: Virtual environment (venv) activation scripts don't quote paths", "id": "2321440", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321440"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-428", "details": ["A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "A vulnerability has been found in the Python `venv` module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts, for example, \"source venv/bin/activate\". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-9287", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-10-22T16:34:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9287\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9287\nhttps://github.com/python/cpython/issues/124651\nhttps://github.com/python/cpython/pull/124712\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/"], "statement": "This vulnerability in the Python `venv` module is rated as moderate rather than important because it relies on a specific set of conditions to be exploitable, limiting its impact. An attacker would need to have control over the virtual environment creation process and access to the environment setup, which is less common in typical usage scenarios. Furthermore, the vulnerability only poses a risk if users activate the malicious virtual environment through `source venv/bin/activate` or similar scripts, as direct invocation of the virtual environment without activation (`./venv/bin/python`) is not affected.\nVersions of python36:3.6/python36 and python39:3.9/python39 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide \"symlinks\" to the main python3 component, which provides the actual interpreter of the Python programming language.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-428: Unquoted Search Path or Element vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nPlatform workloads run with restricted privileges in minimal, tightly controlled runtime environments, following best practices such as non-root container execution, read-only file systems, and hardened base images to reduce the risk of path manipulation. The environment employs IPS/IDS and antimalware solutions to detect and respond to threats in real time, limiting exploitation attempts. Event logs are centrally collected and analyzed to support monitoring, alerting, and detection of input-based manipulation. Static code analysis and peer reviews enforce strong input validation and error handling, preventing poorly validated inputs from causing instability, data exposure, or privilege escalation. In the event of exploitation, process isolation contains the impact within the compromised component, preventing it from affecting other processes or the broader system.", "threat_severity": "Moderate"}

{}