DEBIAN-CVE-2024-9287

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2024-9287

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-9287.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-9287

Upstream

CVE-2024-9287

Published

2024-10-22T17:15:06Z

Modified

2025-09-25T23:28:35.013884Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

References

https://security-tracker.debian.org/tracker/CVE-2024-9287

Affected packages

Debian:11

pypy3

Package

Name: pypy3
Purl: pkg:deb/debian/pypy3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.3.5+dfsg-2+deb11u4

Affected versions

7.*

7.3.5+dfsg-2

7.3.5+dfsg-2+deb11u1

7.3.5+dfsg-2+deb11u2

7.3.5+dfsg-2+deb11u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

python3.9

Package

Name: python3.9
Purl: pkg:deb/debian/python3.9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.9.2-1+deb11u2

Affected versions

3.*

3.9.2-1

3.9.2-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12

pypy3

Package

Name: pypy3
Purl: pkg:deb/debian/pypy3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.3.11+dfsg-2+deb12u3

Affected versions

7.*

7.3.11+dfsg-2

7.3.11+dfsg-2+deb12u1

7.3.11+dfsg-2+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

python3.11

Package

Name: python3.11
Purl: pkg:deb/debian/python3.11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.11.2-6+deb12u5

Affected versions

3.*

3.11.2-6

3.11.2-6+deb12u1

3.11.2-6+deb12u2

3.11.2-6+deb12u3

3.11.2-6+deb12u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13

pypy3

Package

Name: pypy3
Purl: pkg:deb/debian/pypy3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.3.17+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

python3.13

Package

Name: python3.13
Purl: pkg:deb/debian/python3.13?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.13.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14

pypy3

Package

Name: pypy3
Purl: pkg:deb/debian/pypy3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.3.17+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

python3.13

Package

Name: python3.13
Purl: pkg:deb/debian/python3.13?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.13.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}