OESA-2025-1241

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1241
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1241.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1241
Upstream
Published
2025-03-07T15:26:50Z
Modified
2025-08-12T05:46:57.937311Z
Summary
python-virtualenv security update
Details

Virtualenv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. Note though, that the venv module does not offer all features of this library (e.g. cannot create bootstrap scripts, cannot create virtual environments for other python versions than the host python, not relocatable, etc.). Tools in general as such still may prefer using virtualenv for its ease of upgrading (via pip), unified handling of different Python versions and some more advanced features.

Security Fix(es):

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.(CVE-2024-53899)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS / python-virtualenv

Package

Name
python-virtualenv
Purl
pkg:rpm/openEuler/python-virtualenv&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.26.6-1.oe2403

Ecosystem specific 

{
    "src": [
        "python-virtualenv-20.26.6-1.oe2403.src.rpm"
    ],
    "noarch": [
        "python3-virtualenv-20.26.6-1.oe2403.noarch.rpm"
    ]
}