CVE-2021-42771 (High) detected in Babel-2.9.0-py2.py3-none-any.whl

[mend-bolt-for-github]

CVE-2021-42771 - High Severity Vulnerability

Vulnerable Library - Babel-2.9.0-py2.py3-none-any.whl

Internationalization utilities

Library home page: https://files.pythonhosted.org/packages/dd/a5/81076e10b5ef74493cf08a8e419e61b64324c9c55db4aa7f89c0240c4873/Babel-2.9.0-py2.py3-none-any.whl

Path to dependency file: /vendor/guzzlehttp/guzzle/docs/requirements.txt

Path to vulnerable library: /vendor/guzzlehttp/guzzle/docs/requirements.txt,/vendor/guzzlehttp/ringphp/docs/requirements.txt

Dependency Hierarchy:

• Sphinx-1.8.5-py2.py3-none-any.whl (Root Library)
  • ❌ Babel-2.9.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

Publish Date: 2021-10-20

URL: CVE-2021-42771

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42771

Release Date: 2021-10-20

Fix Resolution: Babel - 2.9.1

---

Step up your Open Source Security Game with Mend here