Bug 1955615 (CVE-2021-20095, CVE-2021-42771) - CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code
Summary: CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows at...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20095, CVE-2021-42771
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2016686 (view as bug list)
Depends On: 1954814 1955725 1956899 1956900 1956901 1956902 1956903 1956904 1957075 1964344 1969504 1969520
Blocks: 1955616
TreeView+ depends on / blocked
 
Reported: 2021-04-30 14:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-11-08 14:41 UTC (History)
17 users (show)

Fixed In Version: python-babel 2.9.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-babel. A path traversal vulnerability was found in how locale data files are checked and loaded within python-babel, allowing a local attacker to trick an application that uses python-babel to load a file outside of the intended locale directory. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Clone Of:
Environment:
Last Closed: 2021-08-24 15:35:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3252 0 None None None 2021-08-24 08:05:37 UTC
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:18 UTC
Red Hat Product Errata RHSA-2021:4151 0 None None None 2021-11-09 17:25:19 UTC
Red Hat Product Errata RHSA-2021:4162 0 None None None 2021-11-09 17:28:21 UTC
Red Hat Product Errata RHSA-2021:4201 0 None None None 2021-11-09 17:42:34 UTC

Description Guilherme de Almeida Suckevicz 2021-04-30 14:18:16 UTC 
Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.

Reference:
https://www.tenable.com/security/research/tra-2021-14

Upstream patch:
https://github.com/python-babel/babel/pull/782
Comment 1 Guilherme de Almeida Suckevicz 2021-04-30 17:39:27 UTC 
Created babel tracking bugs for this issue:

Affects: fedora-all [bug 1955725]
Comment 2 Riccardo Schirone 2021-05-04 15:01:18 UTC 
External References:

https://www.tenable.com/security/research/tra-2021-14
Comment 4 Riccardo Schirone 2021-05-04 15:43:58 UTC 
An application that uses `babel.Locale` to create a new Locale object with an untrusted language argument might be vulnerable to this flaw. The babel library uses the language argument to retrieve a file on disk, however it does not perform any check to ensure that the language is a well formed name and that it does not contain special path characters (e.g. `..`).

The locale files are essentially dumps of pickle, thus an attacker who can create a file on the system and trick an application to use that file as a babel Locale can easily execute arbitrary code on the vulnerable system.
Comment 13 errata-xmlrpc 2021-08-24 08:05:35 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252
Comment 14 errata-xmlrpc 2021-08-24 08:09:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 15 Product Security DevOps Team 2021-08-24 15:35:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20095
Comment 16 Sandipan Roy 2021-10-25 05:00:22 UTC 
*** Bug 2016686 has been marked as a duplicate of this bug. ***
Comment 18 Doran Moppert 2021-10-26 07:02:54 UTC 
Note:  this CVE ID was rejected by MITRE, and CVE-2021-42771 used instead to track this issue.  Since Red Hat has already shipped errata referencing CVE-2021-20095, we continue to use this ID and instead mark CVE-2021-42771 as duplicate for our purposes.

Both identifiers reference the same issue and carry the same analysis results, so the net result in terms of affected & fixed products is the same.
Comment 19 Tomas Hoger 2021-11-05 10:34:13 UTC 
Adding the new CVE-2021-42771 here as well, while keeping the original CVE-2021-20095 listed here as well, as it was already used in released errata.
Comment 20 errata-xmlrpc 2021-11-09 17:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
Comment 21 errata-xmlrpc 2021-11-09 17:28:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
Comment 22 errata-xmlrpc 2021-11-09 17:42:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4201 https://access.redhat.com/errata/RHSA-2021:4201
Note You need to log in before you can comment on or make changes to this bug.