Main Vulnerability Database Vulnerabilities #VU101032

#VU101032 Command Injection in py3-virtualenv - CVE-2024-53899

Published: November 28, 2024

Vulnerability identifier: #VU101032

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-53899

CWE-ID: CWE-77

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
py3-virtualenv

Software vendor:
www.virtualenv.org

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation when handling magic templates strings in activation scripts. A local user can pass specially crafted value via an environment variable to the affected script and execute arbitrary OS commands on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/pypa/virtualenv/issues/2768
https://github.com/pypa/virtualenv/pull/2771
https://github.com/pypa/virtualenv/releases/tag/20.26.6

#VU101032 Command Injection in py3-virtualenv - CVE-2024-53899

Description

Remediation

External links

Please verify you're human