CVE-2021-42771 — Path Traversal in Babel

CWE-22 — Path Traversal7 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 61.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pocoo Babel Babel Debian Python-babel +3 more

Timeline

PublishedOct 20

Latest updateOct 21

Description

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/python-babel< python-babel 2.8.0+dfsg.1-7 (bookworm)

▶NVDpocoo/babel< 2.9.1

▶PyPIbabel/babel< 2.9.1

▶msrcmsrc/cm1_babel_2.6.0-9_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_babel_2.9.1-1_on_cbl_mariner_2.0

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Directory Traversal in Babel↗2021-10-21

▶

GHSA

Directory Traversal in Babel↗2021-10-21

▶

OSV

CVE-2021-42771: Babel↗2021-10-20

▶

📋Vendor Advisories

Microsoft

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal leading to code execution.↗2021-10-12

▶

Red Hat

python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code↗2021-04-28

▶

Debian

CVE-2021-42771: python-babel - Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .da...↗2021

▶