PT-2020-12533 · Python · Autoswitch Python Virtualenv

Michael Aquilina

Published

2020-05-13

Updated

2021-11-04

CVE-2020-11073

CVSS v3.1

7.9

High

Vector

AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Autoswitch Python Virtualenv versions prior to 1.16.0

Description A user who enters a directory with a malicious .venv file could run arbitrary code without any user interaction.

Recommendations For versions prior to 1.16.0, update to version 1.16.0 to resolve the issue. As a temporary workaround, consider avoiding directories that may contain malicious .venv files until the update is applied.

Exploit

Fix

Command Injection

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-22

Related Identifiers

CVE-2020-11073

GHSA-H8WM-CQQ6-957Q

Affected Products

Autoswitch Python Virtualenv

PT-2020-12533 · Python · Autoswitch Python Virtualenv

CVE-2020-11073

Weakness Enumeration

Related Identifiers

Affected Products

References · 7