| Name | CVE-2021-32862 |
| Description | The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer). |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3442-1, DLA-3863-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| nbconvert (PTS) | bullseye | 5.6.1-3 | vulnerable |
| bullseye (security) | 5.6.1-3+deb11u1 | fixed | |
| bookworm | 6.5.3-3 | fixed | |
| sid, trixie | 7.16.6-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| nbconvert | source | buster | 5.4-2+deb10u1 | DLA-3442-1 | ||
| nbconvert | source | bullseye | 5.6.1-3+deb11u1 | DLA-3863-1 | ||
| nbconvert | source | (unstable) | 6.5.1-1 |
https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq
https://github.com/jupyter/nbconvert/commit/d09000bbf076410ce4bd4d9a406f9bbe849cd5c6 (6.5.1)
https://github.com/jupyter/nbconvert/commit/1afcaae89b1cc00a89539863ab91ee04e2240fc1 (6.5.1)
https://github.com/jupyter/nbconvert/commit/14185eb83c63a764886ea36f63ddd30963de9a8c (6.5.1)
https://github.com/jupyter/nbconvert/commit/4b9c5e76bad57eedf1d3cdba244bb05811f64536 (6.5.1)
https://github.com/jupyter/nbconvert/commit/d2d44d4c69ba0edb3a68b5579138603505d98c19 (6.5.1)
https://github.com/jupyter/nbconvert/commit/37b152c0ad04fe53e782887b78662c8ffad1034a (6.5.1)
https://github.com/jupyter/nbconvert/commit/df5cb60d58e5a159da1b33a9d7e7ea14e8637853 (6.5.1)
https://github.com/jupyter/nbconvert/commit/48fe71eb3335caf4e03166e56e0d16efcfbeaf44 (6.5.1)
https://github.com/jupyter/nbconvert/commit/a03cbb8a8d04d47aefec51e7b1b816045682aed5 (6.5.1)
https://github.com/jupyter/nbconvert/commit/b206470f9ecd71b006a37dd1298dd3d9e3dd46dd (6.5.1)
https://github.com/jupyter/nbconvert/commit/0818628718c4a5d3ddd671fbd4881bf176e7d6e2 (6.5.1)
https://github.com/jupyter/nbconvert/commit/bef65d7ab2a469b01e4aa25f44c0f20326f7c7c5 (6.5.1)
Follow-up/regression https://github.com/jupyter/nbconvert/commit/c289e0a61660e612920397799169ed2c5ed35516 (6.5.2)
Follow-up/regression https://github.com/jupyter/nbconvert/commit/1652aa73b0f4900af97c0f1ac08e9573e00155bd (6.5.3)