CVE-2024-53899
Command Injection vulnerability in virtualenv (PyPI)
What is CVE-2024-53899 About?
Virtualenv versions before 20.26.6 are vulnerable to command injection through their activation scripts. This flaw allows attackers to execute arbitrary commands by manipulating magic template strings during replacement. The impact could be arbitrary code execution on systems running virtualenv.
Affected Software
Technical Details
The vulnerability (CVE-2024-53899) in virtualenv arises because magic template strings within activation scripts are not properly quoted during replacement operations. When virtualenv generates or activates an environment, it uses templating to insert dynamic values into activation scripts. If an attacker can control or influence the values that are inserted into these templates, and if these values contain special characters or command delimiters (e.g., semicolons, backticks, dollar signs), these characters are not escaped or quoted correctly. Consequently, when the activation script is subsequently executed (e.g., by sourcing it in a shell), the unquoted 'magic template strings' are interpreted as shell commands, leading to arbitrary command injection.
What is the Impact of CVE-2024-53899?
Successful exploitation may allow attackers to execute arbitrary code or commands on the victim's system, leading to full system compromise, data theft, or further lateral movement.
What is the Exploitability of CVE-2024-53899?
Exploitation of this command injection vulnerability would likely require an attacker to either provide malicious input during the virtual environment creation process or modify existing virtual environment configuration/templates; therefore, some level of local access or control over input is typically needed. No authentication is inherently required to exploit virtualenv itself, but the attacker needs to be in a position to trigger the vulnerable activation script generation or execution. This is primarily a local vulnerability, requiring the attacker to have direct access to the system where virtualenv is being used or to trick a user into activating a malicious virtual environment. The complexity is moderate, as it requires understanding how virtualenv processes templates. Risk factors include environments where untrusted users can create or modify virtual environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53899?
About the Fix from Resolved Security
The patch ensures that variables such as __VIRTUAL_ENV__, __BIN_NAME__, and __VIRTUAL_PROMPT__ in shell, batch, nu, fish, and PowerShell activation scripts are now injected without raw template quoting, and introduces a consistent quoting mechanism per shell via activator classes. This prevents potential command injection when special characters are included in the virtual environment path or prompt, thereby fixing CVE-2024-53899, which allowed malicious manipulation through unsafely templated environment variable values.
Available Upgrade Options
- virtualenv
- <20.26.6 → Upgrade to 20.26.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/virtualenv/pull/2771
- https://github.com/pypa/virtualenv/issues/2768
- https://github.com/pypa/advisory-database/tree/main/vulns/virtualenv/PYSEC-2024-187.yaml
- https://github.com/pypa/virtualenv/releases/tag/20.26.6
- https://github.com/pypa/virtualenv/issues/2768
- https://github.com/pypa/virtualenv/issues/2768
- https://osv.dev/vulnerability/PYSEC-2024-187
- https://github.com/pypa/virtualenv
- https://github.com/pypa/virtualenv/releases/tag/20.26.6
- https://github.com/pypa/virtualenv/pull/2771
What are Similar Vulnerabilities to CVE-2024-53899?
Similar Vulnerabilities: CVE-2023-48760 , CVE-2023-47000 , CVE-2023-4550 , CVE-2023-37905 , CVE-2023-28432
