CVE-2021-20095

Published: 29 April 2021

Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
python-babel
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (2.8.0+dfsg.1-6ubuntu0.1)
Ubuntu 20.10 (Groovy Gorilla)
Released (2.8.0+dfsg.1-4ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.6.0+dfsg.1-1ubuntu2.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.0+dfsg.1-2ubuntu1.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.3+dfsg.1-6ubuntu0.1~esm1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.3+dfsg.1-2ubuntu2+esm1)
Patches:
Upstream: https://github.com/python-babel/babel/pull/782/commits/3a700b5b8b53606fd98ef8294a56f9510f7290f8
Upstream: https://github.com/python-babel/babel/pull/782/commits/5caf717ceca4bd235552362b4fbff88983c75d8c (only for windows)