virtualenv@1.3.1 vulnerabilities

Virtual Python Environment builder

Direct Vulnerabilities

Known vulnerabilities in the virtualenv package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Command Injection

Affected versions of this package are vulnerable to Command Injection due to improperly quoted string placeholders in activation scripts through the ViaTemplateActivator class. The vulnerable functions include various shell activation scripts where placeholders like __VIRTUAL_ENV__ are used.

Note:

  1. This vulnerability is specific to environments where shell scripts are used for virtual environment activation.

  2. Exploiting this vulnerability depends on the ability of the attacker to control the input to these placeholders, therefore it's unlikely to be exploited.

How to fix Command Injection?

Upgrade virtualenv to version 20.26.6 or higher.

[,20.26.6)
  • L
Symlink Attack

virtualenv is a Virtual Python Environment builder virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.

[,1.5)