Описание
A flaw was found in python-babel. A path traversal vulnerability was found in how locale data files are checked and loaded within python-babel, allowing a local attacker to trick an application that uses python-babel to load a file outside of the intended locale directory. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Отчет
It is rather uncommon for applications to use Babel.Locale() with an untrusted attacker-controlled language argument. A static language abbreviation string (e.g. "en") is most commonly used instead. For this reason, this flaw has been rated as having a security impact of Moderate.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | babel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | babel | Out of support scope | ||
| Red Hat Enterprise Linux 9 | babel | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | babel | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | babel | Out of support scope | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Affected | ||
| Red Hat Storage 3 | babel | Affected | ||
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2021:4151 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | python38 | Fixed | RHSA-2021:4162 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | python38-devel | Fixed | RHSA-2021:4162 | 09.11.2021 |
Показывать по
Дополнительная информация
Статус:
7.8 High
CVSS3
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none
Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.
ELSA-2021-4201: babel security and bug fix update (MODERATE)
7.8 High
CVSS3