{"ecosystem":"pypi","package":"virtualenv","version":null,"bugs":[{"id":695,"ecosystem":"pypi","package_name":"virtualenv","affected_version":null,"fixed_version":"20.26.6","bug_id":"osv:GHSA-rqc4-2hc7-8c8v","title":"virtualenv allows command injection through activation scripts for a virtual environment","description":"virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53899","labels":["BIT-virtualenv-2024-53899","CVE-2024-53899","PYSEC-2024-187"],"created_at":"2026-04-19T04:31:38.214584+00:00","updated_at":"2026-04-19T04:31:38.214584+00:00"},{"id":697,"ecosystem":"pypi","package_name":"virtualenv","affected_version":null,"fixed_version":"20.26.6","bug_id":"osv:PYSEC-2024-187","title":"PYSEC-2024-187: advisory","description":"virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/pypa/virtualenv/issues/2768","labels":["BIT-virtualenv-2024-53899","CVE-2024-53899","GHSA-rqc4-2hc7-8c8v"],"created_at":"2026-04-19T04:31:38.215416+00:00","updated_at":"2026-04-19T04:31:38.215416+00:00"},{"id":696,"ecosystem":"pypi","package_name":"virtualenv","affected_version":null,"fixed_version":"1.5","bug_id":"osv:PYSEC-2011-23","title":"PYSEC-2011-23: advisory","description":"virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.","severity":"medium","status":"fixed","source":"osv","source_url":"http://openwall.com/lists/oss-security/2011/12/19/5","labels":["CVE-2011-4617","GHSA-3jhc-wjqf-5f2c"],"created_at":"2026-04-19T04:31:38.215032+00:00","updated_at":"2026-04-19T04:31:38.215032+00:00"},{"id":694,"ecosystem":"pypi","package_name":"virtualenv","affected_version":null,"fixed_version":"20.36.1","bug_id":"osv:GHSA-597g-3phw-6986","title":"virtualenv Has TOCTOU Vulnerabilities in Directory Creation","description":"## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986","labels":["BIT-virtualenv-2026-22702","CVE-2026-22702"],"created_at":"2026-04-19T04:31:38.213821+00:00","updated_at":"2026-04-19T04:31:38.213821+00:00"},{"id":693,"ecosystem":"pypi","package_name":"virtualenv","affected_version":null,"fixed_version":"1.5","bug_id":"osv:GHSA-3jhc-wjqf-5f2c","title":"Virtualenv Allows Symlink Attack on /tmp/","description":"virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4617","labels":["CVE-2011-4617","PYSEC-2011-23"],"created_at":"2026-04-19T04:31:38.212986+00:00","updated_at":"2026-04-19T04:31:38.212986+00:00"}],"total":5,"_cache":"miss"}