Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code.
Created babel tracking bugs for this issue:
Affects: fedora-all [bug 1955725]
An application that uses `babel.Locale` to create a new Locale object with an untrusted language argument might be vulnerable to this flaw. The babel library uses the language argument to retrieve a file on disk, however it does not perform any check to ensure that the language is a well formed name and that it does not contain special path characters (e.g. `..`).
The locale files are essentially dumps of pickle, thus an attacker who can create a file on the system and trick an application to use that file as a babel Locale can easily execute arbitrary code on the vulnerable system.