VulnerableCode Package Details - pkg:deb/debian/python-virtualenv@20.17.1%2Bds-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
VCID-5gxd-gbyg-ebg7 Aliases: CVE-2026-22702 GHSA-597g-3phw-6986	virtualenv Has TOCTOU Vulnerabilities in Directory Creation ## Impact TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. Affected versions: All versions up to and including 20.36.1 Affected users: Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location. Attack scenarios: - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations ## Patches The vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations. Fixed in: PR #3013 Versions with the fix: 20.36.2 and later Users should upgrade to version 20.36.2 or later. ## Workarounds If you cannot upgrade immediately: 1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700) 2. Avoid running `virtualenv` in shared temporary directories where other users have write access 3. Use separate user accounts for different projects to isolate app_data directories ## References - GitHub PR: https://github.com/pypa/virtualenv/pull/3013 - Vulnerability reported by: @tsigouris007 - CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU) - CWE-59: Improper Link Resolution Before File Access	20.36.1+ds-1 Affected by 0 other vulnerabilities. 21.2.0+ds-1 Affected by 0 other vulnerabilities.
VCID-yjph-enuc-wkc7 Aliases: BIT-virtualenv-2024-53899 CVE-2024-53899 GHSA-rqc4-2hc7-8c8v PYSEC-2024-187	virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.	20.26.6+ds-1 Affected by 0 other vulnerabilities. 20.31.2+ds-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 21.2.0+ds-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5gxd-gbyg-ebg7
Aliases:
CVE-2026-22702
GHSA-597g-3phw-6986

virtualenv Has TOCTOU Vulnerabilities in Directory Creation ## Impact TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. **Affected versions:** All versions up to and including 20.36.1 **Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location. **Attack scenarios:** - Cache poisoning: Attacker corrupts wheels or Python metadata in the cache - Information disclosure: Attacker reads sensitive cached data or metadata - Lock bypass: Attacker controls lock file semantics to cause concurrent access violations - Denial of service: Lock starvation preventing virtualenv operations ## Patches The vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations. **Fixed in:** PR #3013 **Versions with the fix:** 20.36.2 and later Users should upgrade to version 20.36.2 or later. ## Workarounds If you cannot upgrade immediately: 1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700) 2. Avoid running `virtualenv` in shared temporary directories where other users have write access 3. Use separate user accounts for different projects to isolate app_data directories ## References - GitHub PR: https://github.com/pypa/virtualenv/pull/3013 - Vulnerability reported by: @tsigouris007 - CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU) - CWE-59: Improper Link Resolution Before File Access

20.36.1+ds-1
Affected by 0 other vulnerabilities.

21.2.0+ds-1
Affected by 0 other vulnerabilities.

VCID-yjph-enuc-wkc7
Aliases:
BIT-virtualenv-2024-53899
CVE-2024-53899
GHSA-rqc4-2hc7-8c8v
PYSEC-2024-187

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

20.26.6+ds-1
Affected by 0 other vulnerabilities.

20.31.2+ds-1
Affected by 1 other vulnerability.

21.2.0+ds-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6crp-q47m-w7dh	virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.	CVE-2011-4617 GHSA-3jhc-wjqf-5f2c PYSEC-2011-23
VCID-ezkx-6k4g-n3az	pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.	CVE-2013-1629 GHSA-g3p5-fjj9-h8gj PYSEC-2013-8

Vulnerability

Summary

Aliases

VCID-6crp-q47m-w7dh

virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/.

CVE-2011-4617
GHSA-3jhc-wjqf-5f2c
PYSEC-2011-23

VCID-ezkx-6k4g-n3az

pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation.

CVE-2013-1629
GHSA-g3p5-fjj9-h8gj
PYSEC-2013-8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:18:55.260694+00:00	Debian Importer	Fixing	VCID-6crp-q47m-w7dh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:26:42.581638+00:00	Debian Importer	Fixing	VCID-ezkx-6k4g-n3az	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:41:57.696697+00:00	Debian Importer	Fixing	VCID-6crp-q47m-w7dh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:18:07.587257+00:00	Debian Importer	Fixing	VCID-ezkx-6k4g-n3az	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:56.428551+00:00	Debian Importer	Affected by	VCID-5gxd-gbyg-ebg7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:56.375836+00:00	Debian Importer	Affected by	VCID-yjph-enuc-wkc7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:56.324090+00:00	Debian Importer	Fixing	VCID-ezkx-6k4g-n3az	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:56.270377+00:00	Debian Importer	Fixing	VCID-6crp-q47m-w7dh	https://security-tracker.debian.org/tracker/data/json	38.1.0