CVE-2021-42771

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
pocoobabel
𝑥
< 2.9.1
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-babel
bookworm
2.10.3-1
fixed
bullseye
2.8.0+dfsg.1-7
fixed
sid
2.14.0-1
fixed
trixie
2.14.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-babel
bionic
not-affected
focal
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
trusty
not-affected
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python2-Babel
suse enterprise sap 15
2.5.1-150000.3.3.1
fixed
suse enterprise sap 15 SP1
2.5.1-150000.3.3.1
fixed
suse enterprise server 15
2.5.1-150000.3.3.1
fixed
suse enterprise server 15 SP1
2.5.1-150000.3.3.1
fixed
python3-Babel
suse enterprise sap 15
2.5.1-150000.3.3.1
fixed
suse enterprise sap 15 SP1
2.5.1-150000.3.3.1
fixed
suse enterprise server 15
2.5.1-150000.3.3.1
fixed
suse enterprise server 15 SP1
2.5.1-150000.3.3.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
babel
Amazon Linux 2
0:0.9.6-8.amzn2.0.2
fixed
python-babel
Amazon Linux 2
0:0.9.6-8.amzn2.0.2
fixed
python26-babel
Amazon Linux 1
0:0.9.4-5.1.9.amzn1
fixed
python27-babel
Amazon Linux 1
0:0.9.4-5.1.9.amzn1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
babel
CBL-Mariner 1.0
0:2.6.0-9.cm1
fixed
CBL-Mariner 2.0
0:2.9.1-1.cm2
fixed