CVE-2021-42771

Опубликовано: 28 апр. 2021

Источник: redhat

CVSS3: 7.8

Описание

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

A flaw was found in python-babel. A path traversal vulnerability was found in how locale data files are checked and loaded within python-babel, allowing a local attacker to trick an application that uses python-babel to load a file outside of the intended locale directory. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.

Отчет

It is rather uncommon for applications to use Babel.Locale() with an untrusted attacker-controlled language argument. A static language abbreviation string (e.g. "en") is most commonly used instead. For this reason, this flaw has been rated as having a security impact of Moderate.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	babel	Out of support scope
Red Hat Enterprise Linux 7	babel	Out of support scope
Red Hat Enterprise Linux 9	babel	Not affected
Red Hat OpenStack Platform 10 (Newton)	babel	Out of support scope
Red Hat OpenStack Platform 13 (Queens)	babel	Out of support scope
Red Hat Quay 3	quay/quay-rhel8	Affected
Red Hat Storage 3	babel	Affected
Red Hat Enterprise Linux 8	python27	Fixed	RHSA-2021:4151	09.11.2021
Red Hat Enterprise Linux 8	python38	Fixed	RHSA-2021:4162	09.11.2021
Red Hat Enterprise Linux 8	python38-devel	Fixed	RHSA-2021:4162	09.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-22

https://bugzilla.redhat.com/show_bug.cgi?id=1955615python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code

7.8 High

CVSS3

Связанные уязвимости

CVE-2021-42771

CVSS3: 7.8

ubuntu

больше 3 лет назад

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

CVE-2021-42771

CVSS3: 7.8

nvd

больше 3 лет назад

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.