Vulnerability Report
Package: virtualenv (transitive dependency)
Installed Version: 20.31.2
CVEs
| CVE / GHSA ID |
Description |
Severity |
Fixed In |
| GHSA-597g-3phw-6986 |
TOCTOU Vulnerabilities in Directory Creation |
Medium |
20.36.1 |
Details
virtualenv 20.31.2 contains a TOCTOU (Time-of-Check Time-of-Use) vulnerability in its directory creation logic. An attacker with local access could exploit the race condition between checking and creating directories to redirect virtualenv operations via symlinks.
Fixed in virtualenv >= 20.36.1.
Impact
virtualenv is a transitive dependency, pulled in via pre-commit (a dev dependency). The attack surface is limited to local development environments where an attacker has write access to the filesystem.
Remediation
Constrain virtualenv >= 20.36.1 in dev dependencies or update pre-commit to a version that pulls in the patched virtualenv.
Found by osv-scanner
Vulnerability Report
Package:
virtualenv(transitive dependency)Installed Version: 20.31.2
CVEs
Details
virtualenv20.31.2 contains a TOCTOU (Time-of-Check Time-of-Use) vulnerability in its directory creation logic. An attacker with local access could exploit the race condition between checking and creating directories to redirect virtualenv operations via symlinks.Fixed in
virtualenv >= 20.36.1.Impact
virtualenvis a transitive dependency, pulled in viapre-commit(a dev dependency). The attack surface is limited to local development environments where an attacker has write access to the filesystem.Remediation
Constrain
virtualenv >= 20.36.1in dev dependencies or updatepre-committo a version that pulls in the patchedvirtualenv.Found by osv-scanner