AZL-50926

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-50926.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-50926

Upstream

CVE-2024-9287

Published

2024-10-22T17:15:06Z

Modified

2026-04-01T05:17:37.949654Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-9287 affecting package python3 for versions less than 3.12.9-1

Details

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-9287

Affected packages

Azure Linux:3 / python3

Package

Name: python3
Purl: pkg:rpm/azure-linux/python3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.9-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-50926.json"