-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a command injection in CPython's venv module due to improperly quoted path names in activation scripts. The analysis focused on identifying functions involved in processing user-supplied paths and generating these scripts.
venv.EnvBuilder.replace_variables is identified as the core vulnerable function because it performed direct string substitutions of user input (like environment paths) into script templates without quoting.venv.EnvBuilder.install_scripts is crucial as it calls replace_variables and writes the processed (and previously vulnerable) script content to disk.venv.EnvBuilder.create is the main API method in EnvBuilder that accepts the user-provided, potentially malicious, environment path, starting the vulnerable workflow.venv.main (from Lib/venv/__main__.py) is the CLI entry point that parses the user's input (including the environment path) and passes it to EnvBuilder.create.
These functions would appear in a runtime profile during the creation of a virtual environment, and their interaction led to the vulnerability when unquoted, malicious path names were used.Ongoing coverage of React2Shell