VDB
PYSEC-2021-421
PYSEC-2021-421
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | babel | 2.2.0, 0.9.2, 0.8 |
Timeline
- Oct 20, 2021 CVE Published
- Nov 8, 2023 CVE Updated
References
- https://www.tenable.com/security/research/tra-2021-14 url
- https://github.com/advisories/GHSA-h4m5-qpfp-3mpv advisory
- https://lists.debian.org/debian-lts/2021/10/msg00040.html advisory
- https://github.com/python-babel/babel/pull/782 fix
- https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html advisory