Lucene search

GitHub_MCVE-2021-41134

HistoryNov 03, 2021 - 6:15 p.m.

CVE-2021-41134

2021-11-0318:15:08

CWE-79

GitHub_M

web.nvd.nist.gov

cve-2021-41134

nbdime

jupyter notebooks

xss

security vulnerability

patching_recommendation

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product.

Affected configurations

Nvd

Vulners

Node

jupyternbdimeRange1.0.0–1.1.1python

jupyternbdimeRange2.0.0–2.1.1python

jupyternbdimeRange3.0.0–3.1.1python

Node

jupyternbdimeRange5.0.0–5.0.2node.js

jupyternbdimeRange6.0.0–6.1.2node.js

Node

jupyternbdime-jupyterlabRange1.0.0–1.0.1node.js

jupyternbdime-jupyterlabRange2.0.0–2.1.1node.js

VendorProductVersionCPE
jupyternbdime*cpe:2.3:a:jupyter:nbdime:*:*:*:*:*:python:*:*
jupyternbdime*cpe:2.3:a:jupyter:nbdime:*:*:*:*:*:node.js:*:*
jupyternbdime-jupyterlab*cpe:2.3:a:jupyter:nbdime-jupyterlab:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
jupyter	nbdime	*	cpe:2.3:a:jupyter:nbdime::::::python::*
jupyter	nbdime	*	cpe:2.3:a:jupyter:nbdime::::::node.js::*
jupyter	nbdime-jupyterlab	*	cpe:2.3:a:jupyter:nbdime-jupyterlab::::::node.js::*

CNA Affected

[
  {
    "product": "nbdime",
    "vendor": "jupyter",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.1.1 - nbdime (pip)"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0 , < 2.1.1 - nbdime (pip)"
      },
      {
        "status": "affected",
        "version": ">= 3.0.0, < 3.1.1 - nbdime (pip)"
      },
      {
        "status": "affected",
        "version": "< 5.0.2 - nbdime (npm)"
      },
      {
        "status": "affected",
        "version": ">= 6.0.0, < 6.1.2 - nbdime (npm)"
      },
      {
        "status": "affected",
        "version": "< 1.0.1 - nbdime-jupyterlab (npm)"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.1.1 - nbdime-jupyterlab (npm)"
      }
    ]
  }
]

References

github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea

github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for CVE-2021-41134