Lucene search

GitHub_MCVELIST:CVE-2021-39160

HistoryAug 25, 2021 - 6:10 p.m.

CVE-2021-39160 Code injection in nbgitpuller

2021-08-2518:10:11

CWE-94

GitHub_M

www.cve.org

cve-2021-39160

nbgitpuller

code injection

jupyter server

unsanitized input

arbitrary code execution

upgrade.

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

74.0%

JSON

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

CNA Affected

[
  {
    "product": "nbgitpuller",
    "vendor": "jupyterhub",
    "versions": [
      {
        "status": "affected",
        "version": ">= 0.9.0, < 0.10.2"
      }
    ]
  }
]

References

github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25

github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481

github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

74.0%

JSON

Related for CVELIST:CVE-2021-39160