Your submission was sent successfully! Close

CVE-2021-42771

Published: 20 October 2021

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
python-babel
Launchpad, Ubuntu, Debian
Upstream
Released (2.8.0+dfsg.1-7)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(2.8.0+dfsg.1-7)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.8.0+dfsg.1-6ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.6.0+dfsg.1-1ubuntu2.2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.4.0+dfsg.1-2ubuntu1.1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1.3+dfsg.1-6ubuntu0.1~esm1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.3+dfsg.1-2ubuntu2+esm1)
Patches:
Upstream: https://github.com/python-babel/babel/pull/782/commits/3a700b5b8b53606fd98ef8294a56f9510f7290f8
Upstream: https://github.com/python-babel/babel/pull/782/commits/5caf717ceca4bd235552362b4fbff88983c75d8c (windows only)