Vulnerability	Vulnerable Version
M Command Injection Affected versions of this package are vulnerable to Command Injection due to improperly quoted string placeholders in activation scripts through the `ViaTemplateActivator` class. The vulnerable functions include various shell activation scripts where placeholders like `__VIRTUAL_ENV__` are used. Note: This vulnerability is specific to environments where shell scripts are used for virtual environment activation. Exploiting this vulnerability depends on the ability of the attacker to control the input to these placeholders, therefore it's unlikely to be exploited. How to fix Command Injection? Upgrade `virtualenv` to version 20.26.6 or higher.	[,20.26.6)
L Symlink Attack `virtualenv` is a Virtual Python Environment builder virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.	[,1.5)

Command Injection

Affected versions of this package are vulnerable to Command Injection due to improperly quoted string placeholders in activation scripts through the ViaTemplateActivator class. The vulnerable functions include various shell activation scripts where placeholders like __VIRTUAL_ENV__ are used.

Note:

This vulnerability is specific to environments where shell scripts are used for virtual environment activation.
Exploiting this vulnerability depends on the ability of the attacker to control the input to these placeholders, therefore it's unlikely to be exploited.

How to fix Command Injection?

Upgrade virtualenv to version 20.26.6 or higher.

[,20.26.6)

Symlink Attack

virtualenv is a Virtual Python Environment builder virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.

[,1.5)

Go back to all versions of this package