Question 1

Is there a bug in virtualenv?

Accepted Answer

virtualenv allows command injection through activation scripts for a virtual environment virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. Fixed in virtualenv 20.26.6.

Question 2

Is there a bug in virtualenv?

Accepted Answer

PYSEC-2024-187: advisory virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. Fixed in virtualenv 20.26.6.

Question 3

Is there a bug in virtualenv?

Accepted Answer

PYSEC-2011-23: advisory virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/. Fixed in virtualenv 1.5.

Question 4

Is there a bug in virtualenv?

Accepted Answer

virtualenv Has TOCTOU Vulnerabilities in Directory Creation ## Impact

TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.

**Affected versions:** All versions up to and including 20.36.1

**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.

**Attack scenarios:**
- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache
- Information disclosure: Attacker reads sensitive cached data or metadata
- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations
- Denial of service: Lock starvation preventing virtualenv operations

## Patches

The vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.

**Fixed in:** PR #3013

**Versions with the fix:** 20.36.2 and later

Users should upgrade to version 20.36.2 or later.

## Workarounds

If you cannot upgrade immediately:

1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)
2. Avoid running `virtualenv` in shared temporary directories where other users have write access
3. Use separate user accounts for different projects to isolate app_data directories

## References

- GitHub PR: https://github.com/pypa/virtualenv/pull/3013
- Vulnerability reported by: @tsigouris007
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
- CWE-59: Improper Link Resolution Before File Access Fixed in virtualenv 20.36.1.

Question 5

Is there a bug in virtualenv?

Accepted Answer

Virtualenv Allows Symlink Attack on /tmp/ virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/. Fixed in virtualenv 1.5.

Severity	Affected	Fixed in	Title	Status	Source
high	any	20.26.6	virtualenv allows command injection through activation scripts for a virtual environment virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.	fixed	osv:GHSA-rqc4-2hc7-8c8v
medium	any	20.26.6	PYSEC-2024-187: advisory virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.	fixed	osv:PYSEC-2024-187
medium	any	1.5	PYSEC-2011-23: advisory virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.	fixed	osv:PYSEC-2011-23
medium	any	20.36.1	virtualenv Has TOCTOU Vulnerabilities in Directory Creation ## Impact TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. Affected versions: All versions up to and including 20.36.1 Affected users: Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location. Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations ## Patches The vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations. Fixed in: PR #3013 Versions with the fix: 20.36.2 and later Users should upgrade to version 20.36.2 or later. ## Workarounds If you cannot upgrade immediately: 1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700) 2. Avoid running `virtualenv` in shared temporary directories where other users have write access 3. Use separate user accounts for different projects to isolate app_data directories ## References - GitHub PR: https://github.com/pypa/virtualenv/pull/3013 - Vulnerability reported by: @tsigouris007 - CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU) - CWE-59: Improper Link Resolution Before File Access	fixed	osv:GHSA-597g-3phw-6986
medium	any	1.5	Virtualenv Allows Symlink Attack on /tmp/ virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.	fixed	osv:GHSA-3jhc-wjqf-5f2c

virtualenv known bugs