Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-53899

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

Published

2024-11-24T16:15:06.647

Last Modified

2025-02-10T18:12:06.107

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

Weaknesses

Type: Primary
CWE-77
Type: Secondary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	virtualenv	virtualenv	< 20.26.6	Yes

References

https://github.com/pypa/virtualenv/issues/2768 Exploit ([email protected])
https://github.com/pypa/virtualenv/pull/2771 Patch ([email protected])
https://github.com/pypa/virtualenv/releases/tag/20.26.6 Release Notes ([email protected])