Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-9287

Severity CVSS v4.0:
MEDIUM
Type:
CWE-428 Unquoted Search Path or Element
Publication date:
22/10/2024
Last modified:
25/04/2025

Description

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Impact

Vector 4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green CVSS v4.0 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green

Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): High
User Interaction (UI): Active
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None
Provider Urgency (U): Green

Base Score 4.0
5.30
Severity 4.0
MEDIUM
Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 3.9.21 (excluding)
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 3.10.0 (including) 3.10.16 (excluding)
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 3.11.0 (including) 3.11.11 (excluding)
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 3.12.0 (including) 3.12.8 (excluding)
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* 3.13.0 (including) 3.13.1 (excluding)
cpe:2.3:a:python:python:3.14.0:alpha1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools