HIGH 8.4 PyPI
virtualenv allows command injection through activation scripts for a virtual environment
GHSA-rqc4-2hc7-8c8v · BIT-virtualenv-2024-53899 · CVE-2024-53899 · PYSEC-2024-187
Published · Modified
Description
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-53899
- WEB https://github.com/pypa/virtualenv/issues/2768
- WEB https://github.com/pypa/virtualenv/pull/2771
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/virtualenv/PYSEC-2024-187.yaml
- PACKAGE https://github.com/pypa/virtualenv
- WEB https://github.com/pypa/virtualenv/releases/tag/20.26.6
Ready to move
Start Securing
Free, no credit card | First findings in minutes