Vulnerability Name:

CVE-2021-42771 (CCN-211766)

Assigned:2021-04-28
Published:2021-04-28
Updated:2021-12-14
Summary:Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-22
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-42771

Source: CCN
Type: Red Hat Bugzilla – Bug 1955615
(CVE-2021-20095, CVE-2021-42771) - CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code

Source: XF
Type: UNKNOWN
pythonbabel-cve202142771-dir-traversal(211766)

Source: CCN
Type: babel GIT Repository
Python-Babel Babel

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/python-babel/babel/pull/782

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20211021 [SECURITY] [DLA 2790-1] python-babel security update

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts/2021/10/msg00040.html

Source: DEBIAN
Type: Third Party Advisory
DSA-5018

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6557214 (PowerVC)
CVE-2021-42771

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: Tenable Advisory ID: TRA-2021-14
Python-Babel/Babel Locale Directory Traversal / Arbitrary Code Execution

Source: MISC
Type: Exploit, Third Party Advisory
https://www.tenable.com/security/research/tra-2021-14

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-42771

Vulnerable Configuration:Configuration 1:
  • cpe:/a:pocoo:babel:*:*:*:*:*:*:*:* (Version < 2.9.1)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7664
    P
    		libserf-1-1-1.3.9-2.31 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7684
    P
    		libtspi1-0.3.15-150400.1.10 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7758
    P
    		python3-Babel-2.8.0-3.3.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3726
    P
    		Security update for the Linux Kernel (Important)
    2022-07-21
    oval:org.opensuse.security:def:3161
    P
    		libcares2-1.9.1-9.4.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3543
    P
    		lftp-4.7.4-3.6.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94655
    P
    		liblua5_3-5-32bit-5.3.6-3.6.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94791
    P
    		python3-Babel-2.8.0-3.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:102176
    P
    		Security update for SUSE Manager Server 4.2 (Moderate)
    2022-02-28
    oval:org.opensuse.security:def:113245
    P
    		python36-Babel-2.9.1-3.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:84291
    P
    		Security update for python-Babel (Important)
    2022-01-05
    oval:org.opensuse.security:def:84749
    P
    		Security update for python-Babel (Important)
    2022-01-05
    oval:org.opensuse.security:def:88273
    P
    		Security update for python-Babel (Important)
    2022-01-05
    oval:org.opensuse.security:def:88590
    P
    		Security update for python-Babel (Important)
    2022-01-05
    oval:org.opensuse.security:def:49303
    P
    		Security update for python-Babel (Important)
    2021-12-22
    oval:org.opensuse.security:def:20832
    P
    		Security update for python-Babel (Important)
    2021-12-22
    oval:org.opensuse.security:def:111155
    P
    		Security update for python-Babel (Important)
    2021-12-10
    oval:org.opensuse.security:def:76553
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:93276
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:102139
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:108842
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:99168
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:67004
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:93992
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:76072
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:42148
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:100361
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:111822
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:101368
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:117548
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:93433
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:825
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:109322
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:99439
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:67347
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:94203
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:76415
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:42244
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:5915
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:100690
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:95463
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:118413
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:64632
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:93589
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:73754
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:1578
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:99702
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:68753
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:94414
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:76533
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:93115
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:6258
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:101556
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:108034
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:102656
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:95943
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:64815
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:93777
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:73937
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:org.opensuse.security:def:100026
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:68773
    P
    		Security update for python-Babel (Important)
    2021-12-06
    oval:com.redhat.rhsa:def:20214151
    P
    		RHSA-2021:4151: python27:2.7 security update (Moderate)
    2021-11-09
    oval:com.redhat.rhsa:def:20214162
    P
    		RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate)
    2021-11-09
    oval:com.redhat.rhsa:def:20214201
    P
    		RHSA-2021:4201: babel security and bug fix update (Moderate)
    2021-11-09
    BACK
    pocoo babel *
    debian debian linux 10.0
    ibm cloud pak for security 1.7.2.0
    ibm cloud pak for security 1.10.0.0
    ibm cloud pak for security 1.10.6.0