CVE-2024-9287
Virtual environment (venv) activation scripts don't quote paths
7.8
HIGH
CVSS 3.1
EPSS 0.06%
描述
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
如何修補 CVE-2024-9287
要修補 CVE-2024-9287,請將受影響套件升級到下列已修補版本。
- —升級至 3.11.11-r0 或更新版本
- —升級至 3.9.21 或更新版本
- —升級至 3.9.21 或更新版本
- —升級至 3.9.21 或更新版本
- —升級至 7.3.5+dfsg-2+deb11u4 或更新版本
- —升級至 3.11.2-6+deb12u5 或更新版本
- —升級至 3.13.1-1 或更新版本
- —升級至 3.9.2-1+deb11u2 或更新版本
CVE-2024-9287 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(8)
- from 0, < 3.11.11-r0
- from 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
- from 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
- from 0, < 3.9.21, >= 3.10.0, < 3.10.16, >= 3.11.0, < 3.11.11, >= 3.12.0, < 3.12.8, >= 3.13.0, < 3.13.1
- from 0, < 7.3.5+dfsg-2+deb11u4
- from 0, < 3.11.2-6+deb12u5
- from 0, < 3.13.1-1
- from 0, < 3.9.2-1+deb11u2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green |
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |