{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"High"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"python-virtualenv security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for python-virtualenv is now available for openEuler-24.03-LTS",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"Virtualenv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. Note though, that the venv module does not offer all features of this library (e.g. cannot create bootstrap scripts, cannot create virtual environments for other python versions than the host python, not relocatable, etc.). Tools in general as such still may prefer using virtualenv for its ease of upgrading (via pip), unified handling of different Python versions and some more advanced features.\n\nSecurity Fix(es):\n\nvirtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.(CVE-2024-53899)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for python-virtualenv is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"High",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"python-virtualenv",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2025-1241",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1241"
			},
			{
				"summary":"CVE-2024-53899",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53899&packageName=python-virtualenv"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53899"
			},
			{
				"summary":"openEuler-SA-2025-1241 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1241.json"
			}
		],
		"title":"An update for python-virtualenv is now available for openEuler-24.03-LTS",
		"tracking":{
			"initial_release_date":"2025-03-07T23:30:41+08:00",
			"revision_history":[
				{
					"date":"2025-03-07T23:30:41+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2025-03-07T23:30:41+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2025-03-07T23:30:41+08:00",
			"id":"openEuler-SA-2025-1241",
			"version":"1.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"openEuler-24.03-LTS",
									"name":"openEuler-24.03-LTS"
								},
								"name":"openEuler-24.03-LTS",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python-virtualenv-20.26.6-1.oe2403.src.rpm",
									"name":"python-virtualenv-20.26.6-1.oe2403.src.rpm"
								},
								"name":"python-virtualenv-20.26.6-1.oe2403.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"python3-virtualenv-20.26.6-1.oe2403.noarch.rpm",
									"name":"python3-virtualenv-20.26.6-1.oe2403.noarch.rpm"
								},
								"name":"python3-virtualenv-20.26.6-1.oe2403.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python-virtualenv-20.26.6-1.oe2403.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python-virtualenv-20.26.6-1.oe2403.src",
					"name":"python-virtualenv-20.26.6-1.oe2403.src as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"python3-virtualenv-20.26.6-1.oe2403.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:python3-virtualenv-20.26.6-1.oe2403.noarch",
					"name":"python3-virtualenv-20.26.6-1.oe2403.noarch as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2024-53899",
			"notes":[
				{
					"text":"virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS:python-virtualenv-20.26.6-1.oe2403.src",
					"openEuler-24.03-LTS:python3-virtualenv-20.26.6-1.oe2403.noarch"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-24.03-LTS:python-virtualenv-20.26.6-1.oe2403.src",
						"openEuler-24.03-LTS:python3-virtualenv-20.26.6-1.oe2403.noarch"
					],
					"details":"python-virtualenv security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1241"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.8,
						"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
						"version":"3.1"
					},
					"products":[
						"openEuler-24.03-LTS:python-virtualenv-20.26.6-1.oe2403.src",
						"openEuler-24.03-LTS:python3-virtualenv-20.26.6-1.oe2403.noarch"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2024-53899"
		}
	]
}