{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-53899", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-24T18:25:36.636Z", "dateReserved": "2024-11-24T00:00:00", "datePublished": "2024-11-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-24T16:04:03.381151"}, "descriptions": [{"lang": "en", "value": "virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/pypa/virtualenv/issues/2768"}, {"url": "https://github.com/pypa/virtualenv/releases/tag/20.26.6"}, {"url": "https://github.com/pypa/virtualenv/pull/2771"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "affected": [{"vendor": "virtualenv", "product": "virtualenv", "cpes": ["cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "20.26.6", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-24T18:23:58.008596Z", "id": "CVE-2024-53899", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-24T18:25:36.636Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-53899", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-24T18:23:58.008596Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*"], "vendor": "virtualenv", "product": "virtualenv", "versions": [{"status": "affected", "version": "0", "lessThan": "20.26.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-24T18:25:07.826Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/pypa/virtualenv/issues/2768"}, {"url": "https://github.com/pypa/virtualenv/releases/tag/20.26.6"}, {"url": "https://github.com/pypa/virtualenv/pull/2771"}], "descriptions": [{"lang": "en", "value": "virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-24T16:04:03.381151"}}}, "cveMetadata": {"cveId": "CVE-2024-53899", "state": "PUBLISHED", "dateUpdated": "2024-11-24T18:25:36.636Z", "dateReserved": "2024-11-24T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-11-24T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF06C282-558B-4BD3-9260-61E491A730EC", "versionEndExcluding": "20.26.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287."}, {"lang": "es", "value": "Virtualenv anterior a la versi\u00f3n 20.26.6 permite la inyecci\u00f3n de comandos a trav\u00e9s de los scripts de activaci\u00f3n para un entorno virtual. Las cadenas de plantilla m\u00e1gica no se citan correctamente al reemplazarlas. NOTA: esto no es lo mismo que CVE-2024-9287."}], "id": "CVE-2024-53899", "lastModified": "2025-02-10T18:12:06.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-24T16:15:06.647", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://github.com/pypa/virtualenv/issues/2768"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/pypa/virtualenv/pull/2771"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/pypa/virtualenv/releases/tag/20.26.6"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:11048", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "python-virtualenv-0:15.1.0-7.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:10953", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python36:3.6-8100020241203074044.4c5117ad", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-11T00:00:00Z"}, {"advisory": "RHSA-2024:11091", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "python36:3.6-8020020241213084804.606b8f18", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2025:0002", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "python36:3.6-8040020241213073301.9bf6f064", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-01-01T00:00:00Z"}, {"advisory": "RHSA-2025:0002", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "python36:3.6-8040020241213073301.9bf6f064", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-01-01T00:00:00Z"}, {"advisory": "RHSA-2025:0002", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "python36:3.6-8040020241213073301.9bf6f064", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-01-01T00:00:00Z"}, {"advisory": "RHSA-2024:11094", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "python36:3.6-8060020241213062726.448f2761", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11094", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "python36:3.6-8060020241213062726.448f2761", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11094", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "python36:3.6-8060020241213062726.448f2761", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11093", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "python36:3.6-8080020241205132428.075014fc", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-12-16T00:00:00Z"}], "bugzilla": {"description": "virtualenv: potential command injection via virtual environment activation scripts", "id": "2328554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328554"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-78", "details": ["virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.", "A flaw was found in the virtualenv Python package. Due to the improper handling of quotes in magic template strings, the virtual environment activation script is vulnerable to OS command injection,leading to the loss of confidentiality,integrity and availability of the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-53899", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-virtualenv", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-virtualenv", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-11-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53899\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53899\nhttps://github.com/pypa/virtualenv/issues/2768\nhttps://github.com/pypa/virtualenv/pull/2771\nhttps://github.com/pypa/virtualenv/releases/tag/20.26.6"], "threat_severity": "Important"}