CVE-2024-9287: 
Rocky Linux vulnerability analysis and mitigation

A vulnerability has been discovered in the CPython venv module and CLI (CVE-2024-9287) where path names provided when creating a virtual environment were not quoted properly. This vulnerability allows the virtual environment creator to inject commands into virtual environment 'activation' scripts (e.g., 'source venv/bin/activate'). The issue was discovered in September 2024 and affects Python versions 3.8 through 3.13 (Python Advisory).

The vulnerability stems from improper neutralization of special elements used in command injection (CWE-77) and unquoted search path elements (CWE-428). The CVSS v3.1 base score is 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The CVSS v4.0 score is 5.3 (MEDIUM) with vector CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green (NVD).

When exploited, attacker-controlled virtual environments can execute arbitrary commands when the virtual environment is activated. However, virtual environments that are not created by an attacker or which aren't activated before being used (e.g., './venv/bin/python') are not affected (Python Advisory).

The issue has been fixed in Python versions 3.9.21, 3.10.16, 3.11.11, 3.12.8, and 3.13.1. Users should upgrade to these or later versions. The fix involves properly quoting template strings in the venv activation scripts (GitHub PR).