Home/CVE/Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python ob
CVE
CVE-2021-42771
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python ob
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
HIGH · CVSS 7.8
EPSS 0.00169
Act now
- Public exploit or PoC is available
- CVSS base score ≥ 7.0
Sigma rules0
YARA rules0
Look this up elsewhere - one-click external pivots
▸
How to read a CVE - triage first, then detect and patch
This page is every public fact about CVE-2021-42771, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.
Triage: should I act now? Four signals, and they are not interchangeable:
CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked.
EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal.
CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score.
Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.
How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.
Then what - two workflows:
Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits.
PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.
Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).
◆
ATT&CK techniques
1Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.
▤ Build a SIEM detection for these techniques▤
CAPEC attack patterns
5Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.
⬡
Weakness Classification
▤
Affected Products & Versions
2pocoo babel< 2.9.1
debian linuxall versions
▤
Affected Packages
5Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
PyPI
babel
HIGH
fixed in 2.9.1
Ubuntu:18.04:LTS
python-babel
fixed in 2.4.0+dfsg.1-2ubuntu1.1
Ubuntu:20.04:LTS
python-babel
fixed in 2.6.0+dfsg.1-1ubuntu2.2
Ubuntu:Pro:14.04:LTS
python-babel
fixed in 1.3+dfsg.1-2ubuntu2+esm1
Ubuntu:Pro:16.04:LTS
python-babel
fixed in 1.3+dfsg.1-6ubuntu0.1~esm1
⚠
Public Exploits & PoCs
4These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.
📦
Fixed versions by distribution
80The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
alpine edgepy3-babel fixed in 2.9.1-r0
alpine v3.19py3-babel fixed in 2.9.1-r0
alpine v3.20py3-babel fixed in 2.9.1-r0
oracle allbabel fixed in 0:2.5.1-10.module+el8.5.0+20361+8a9d3d27
oracle allpython-nose-docs open
oracle allpython2 open
oracle allpython2-Cython fixed in 0:0.28.1-7.module+el8.3.0+7833+4aaf98ce
oracle allpython2-PyMySQL fixed in 0:0.8.0-10.module+el8.3.0+7833+4aaf98ce
oracle allpython2-attrs fixed in 0:17.4.0-10.module+el8.3.0+7833+4aaf98ce
oracle allpython2-babel open
oracle allpython2-backports open
oracle allpython2-backports-ssl_match_hostname open
oracle allpython2-bson fixed in 0:3.7.0-1.module+el8.5.0+20361+8a9d3d27
oracle allpython2-chardet fixed in 0:3.0.4-10.module+el8.3.0+7833+4aaf98ce
oracle allpython2-coverage open
oracle allpython2-debug fixed in 0:2.7.18-7.0.1.module+el8.5.0+20361+8a9d3d27
oracle allpython2-devel fixed in 0:2.7.18-7.0.1.module+el8.5.0+20361+8a9d3d27
oracle allpython2-dns open
oracle allpython2-docs open
oracle allpython2-docs-info fixed in 0:2.7.16-2.module+el8.3.0+7833+4aaf98ce
oracle allpython2-docutils open
oracle allpython2-funcsigs open
oracle allpython2-idna fixed in 0:2.5-7.module+el8.3.0+7833+4aaf98ce
oracle allpython2-ipaddress fixed in 0:1.0.18-6.module+el8.3.0+7833+4aaf98ce
oracle allpython2-jinja2 fixed in 0:2.10-9.module+el8.5.0+20361+8a9d3d27
oracle allpython2-libs open
oracle allpython2-lxml fixed in 0:4.2.3-5.module+el8.5.0+20361+8a9d3d27
oracle allpython2-markupsafe fixed in 0:0.23-19.module+el8.3.0+7833+4aaf98ce
oracle allpython2-mock fixed in 0:2.0.0-13.module+el8.3.0+7833+4aaf98ce
oracle allpython2-nose fixed in 0:1.3.7-31.module+el8.5.0+20361+8a9d3d27
oracle allpython2-numpy fixed in 1:1.14.2-16.module+el8.4.0+20050+79c7b4ee
oracle allpython2-numpy-f2py fixed in 1:1.14.2-16.module+el8.4.0+20050+79c7b4ee
oracle allpython2-pip fixed in 0:9.0.3-18.module+el8.3.0+7833+4aaf98ce
oracle allpython2-pip-wheel open
oracle allpython2-pluggy open
oracle allpython2-psycopg2 fixed in 0:2.7.5-7.module+el8.3.0+7833+4aaf98ce
oracle allpython2-psycopg2-debug open
oracle allpython2-psycopg2-tests open
oracle allpython2-py fixed in 0:1.5.3-6.module+el8.3.0+7833+4aaf98ce
oracle allpython2-pygments open
oracle allpython2-pymongo fixed in 0:3.7.0-1.module+el8.5.0+20361+8a9d3d27
oracle allpython2-pymongo-gridfs open
oracle allpython2-pysocks open
oracle allpython2-pytest open
oracle allpython2-pytest-mock open
oracle allpython2-pytz fixed in 0:2017.2-12.module+el8.3.0+7833+4aaf98ce
oracle allpython2-pyyaml fixed in 0:3.12-16.module+el8.3.0+7833+4aaf98ce
oracle allpython2-requests open
oracle allpython2-rpm-macros fixed in 0:3-38.module+el8.3.0+7833+4aaf98ce
oracle allpython2-scipy open
oracle allpython2-setuptools fixed in 0:39.0.1-13.module+el8.4.0+20050+79c7b4ee
oracle allpython2-setuptools-wheel fixed in 0:39.0.1-13.module+el8.4.0+20050+79c7b4ee
oracle allpython2-setuptools_scm fixed in 0:1.15.7-6.module+el8.3.0+7833+4aaf98ce
oracle allpython2-six fixed in 0:1.11.0-6.module+el8.4.0+20050+79c7b4ee
oracle allpython2-sqlalchemy fixed in 0:1.3.2-2.module+el8.3.0+7833+4aaf98ce
oracle allpython2-test fixed in 0:2.7.18-7.0.1.module+el8.5.0+20361+8a9d3d27
oracle allpython2-tkinter open
oracle allpython2-tools open
oracle allpython2-urllib3 open
oracle allpython2-virtualenv fixed in 0:15.1.0-21.module+el8.5.0+20361+8a9d3d27
oracle allpython2-wheel open
oracle allpython2-wheel-wheel open
oracle allpython3-babel open
oracle allpython38 fixed in 0:3.8.8-4.module+el8.5.0+20371+4f24d723
oracle allpython38-Cython fixed in 0:0.29.14-4.module+el8.4.0+20068+32a535e2
oracle allpython38-PyMySQL fixed in 0:0.10.1-1.module+el8.4.0+20068+32a535e2
oracle allpython38-asn1crypto open
oracle allpython38-atomicwrites open
oracle allpython38-attrs fixed in 0:19.3.0-3.module+el8.2.0+5579+085cd3bd
oracle allpython38-babel fixed in 0:2.7.0-11.module+el8.5.0+20371+4f24d723
oracle allpython38-cffi fixed in 0:1.13.2-3.module+el8.4.0+20068+32a535e2
oracle allpython38-chardet open
oracle allpython38-cryptography fixed in 0:2.8-3.module+el8.4.0+20068+32a535e2
oracle allpython38-debug open
oracle allpython38-devel fixed in 0:3.8.8-4.module+el8.5.0+20371+4f24d723
oracle allpython38-idle fixed in 0:3.8.8-4.module+el8.5.0+20371+4f24d723
oracle allpython38-idna open
oracle allpython38-jinja2 fixed in 0:2.10.3-5.module+el8.5.0+20371+4f24d723
oracle allpython38-libs fixed in 0:3.8.8-4.module+el8.5.0+20371+4f24d723
oracle allpython38-lxml fixed in 0:4.4.1-6.module+el8.5.0+20371+4f24d723
▣
Scoring & Timeline
7.8
HIGH · CVSS v3.1 · [email protected]
Attack Vector
Network
Adjacent
Local
Physical
Attack Complexity
Low
High
Privileges Required
None
Low
High
User Interaction
None
Required
Scope
Unchanged
Changed
Confidentiality
None
Low
High
Integrity
None
Low
High
Availability
None
Low
High
⚑
Vendor Advisories
15suse-csafopenSUSE-SU-2024:14127-1
suse-csafopenSUSE-SU-2024:11602-1
suse-csafSUSE-SU-2022:3590-1
suse-csafSUSE-SU-2022:0028-1
suse-csafSUSE-SU-2022:0029-1
🔗
References & Sources
4Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://www.debian.org/security/2021/dsa-5018Third Party Advisory