CVE-2024-53899Command Injection in Virtualenv

CWE-77Command InjectionCWE-78OS Command Injection10 documents8 sources
Severity
7.8HIGHNVD
GHSA5.3OSV5.3
EPSS
0.2%
top 54.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Virtualenv
Timeline
PublishedNov 24
Latest updateFeb 25

Description

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDvirtualenv/virtualenv< 20.26.6
PyPIvirtualenv/virtualenv< 20.26.6

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
virtualenv allows command injection through activation scripts for a virtual environment2024-11-24
CVEList
CVE-2024-53899: virtualenv before 202024-11-24
GHSA
virtualenv allows command injection through activation scripts for a virtual environment2024-11-24
OSV
CVE-2024-53899: virtualenv before 202024-11-24

📋Vendor Advisories

5
Ubuntu
virtualenv vulnerability2025-02-25
Ubuntu
virtualenv vulnerability2025-02-18
Red Hat
virtualenv: potential command injection via virtual environment activation scripts2024-11-24
Microsoft
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same 2024-11-12
Debian
CVE-2024-53899: python-virtualenv - virtualenv before 20.26.6 allows command injection through the activation script...2024
CVE-2024-53899 — Command Injection in Virtualenv | cvebase