CVE-2021-42771: Directory Traversal in Babel
(updated )
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
References
- github.com/advisories/GHSA-h4m5-qpfp-3mpv
- github.com/pypa/advisory-database/tree/main/vulns/babel/PYSEC-2021-421.yaml
- github.com/python-babel/babel
- github.com/python-babel/babel/commit/412015ef642bfcc0d8ba8f4d05cdbb6aac98d9b3
- github.com/python-babel/babel/pull/782
- lists.debian.org/debian-lts-announce/2021/10/msg00018.html
- lists.debian.org/debian-lts/2021/10/msg00040.html
- nvd.nist.gov/vuln/detail/CVE-2021-42771
- www.debian.org/security/2021/dsa-5018
- www.tenable.com/security/research/tra-2021-14
Detect and mitigate CVE-2021-42771 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →