CVE-2024-9287

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions CPython versions prior to 3.13.0

Description A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, such as source venv/bin/activate. This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used, for example, ./venv/bin/python, are not affected.

Recommendations For CPython versions prior to 3.13.0, update Python CPython to a patched version as soon as possible to mitigate the risk of local attacks. As a temporary workaround, consider avoiding the activation of virtual environments that may have been created by an attacker, and instead use the virtual environment's Python executable directly, for example, ./venv/bin/python.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-428CWE-77

Related Identifiers

ALSA-2024:10779

ALSA-2024:10978

ALSA-2024:10979

ALSA-2024:10980

ALSA-2024:10983

ALSA-2024:11111

ALSA-2025:23530

AZL-50757

AZL-50926

BDU:2025-03332

BIT-LIBPYTHON-2024-9287

BIT-PYTHON-2024-9287

BIT-PYTHON-MIN-2024-9287

CESA-2024_10779

CESA-2024_10979

CESA-2024_10980

CLEANSTART-2026-CI66802

CLEANSTART-2026-KM27583

CLEANSTART-2026-SP91806

CVE-2024-9287

DLA-3966-1

DLA-3980-1

INFSA-2024_10779

INFSA-2024_10978

INFSA-2024_10979

INFSA-2024_10980

INFSA-2024_10983

INFSA-2024_11111

MGASA-2025-0280

OESA-2024-2481

OESA-2024-2482

OESA-2024-2483

OESA-2024-2484

OESA-2025-2574

OPENSUSE-SU-2024:14426-1

OPENSUSE-SU-2024:14427-1

OPENSUSE-SU-2024:14428-1

OPENSUSE-SU-2024:14430-1

OPENSUSE-SU-2024:14455-1

OPENSUSE-SU-2024:14456-1

OPENSUSE-SU-2024_3879-1

OPENSUSE-SU-2024_3924-1

OPENSUSE-SU-2024_3945-1

OPENSUSE-SU-2024_3957-1

OPENSUSE-SU-2024_3958-1

OPENSUSE-SU-2024_3959-1

OPENSUSE-SU-2025_0047-1

OPENSUSE-SU-2025_0048-1

OPENSUSE-SU-2025_0049-1

PSF-2024-12

RHSA-2024:10779

RHSA-2024:10978

RHSA-2024:10979

RHSA-2024:10980

RHSA-2024:10983

RHSA-2024:11024

RHSA-2024:11035

RHSA-2024:11111

RHSA-2024_10779

RHSA-2024_10978

RHSA-2024_10979

RHSA-2024_10980

RHSA-2024_10983

RHSA-2024_11111

RHSA-2025:0280

RLSA-2024:10779

RLSA-2024:10978

RLSA-2024:10979

RLSA-2024:10980

RLSA-2024:10983

RLSA-2024:11111

SUSE-SU-2024:3760-1

SUSE-SU-2024:3879-1

SUSE-SU-2024:3924-1

SUSE-SU-2024:3929-1

SUSE-SU-2024:3944-1

SUSE-SU-2024:3945-1

SUSE-SU-2024:3957-1

SUSE-SU-2024:3958-1

SUSE-SU-2024:3959-1

SUSE-SU-2024_3879-1

SUSE-SU-2024_3929-1

SUSE-SU-2024_3944-1

SUSE-SU-2024_3945-1

SUSE-SU-2024_3957-1

SUSE-SU-2024_3958-1

SUSE-SU-2025:0047-1

SUSE-SU-2025:0048-1

SUSE-SU-2025:0049-1

SUSE-SU-2025:02074-1

SUSE-SU-2025:20154-1

SUSE-SU-2025:20374-1

USN-7116-1

USN-7348-1

USN-7488-1

Affected Products

Almalinux

Astra Linux

Cpython

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2024-9287

Weakness Enumeration

Related Identifiers

Affected Products

References · 331