CVE-2021-32862

NameCVE-2021-32862
DescriptionThe GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3442-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nbconvert (PTS)buster5.4-2vulnerable
buster (security)5.4-2+deb10u1fixed
bullseye5.6.1-3vulnerable
bookworm6.5.3-3fixed
trixie6.5.3-5fixed
sid7.16.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nbconvertsourcebuster5.4-2+deb10u1DLA-3442-1
nbconvertsource(unstable)6.5.1-1

Notes

https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq
https://github.com/jupyter/nbconvert/commit/d09000bbf076410ce4bd4d9a406f9bbe849cd5c6 (6.5.1)
https://github.com/jupyter/nbconvert/commit/1afcaae89b1cc00a89539863ab91ee04e2240fc1 (6.5.1)
https://github.com/jupyter/nbconvert/commit/14185eb83c63a764886ea36f63ddd30963de9a8c (6.5.1)
https://github.com/jupyter/nbconvert/commit/4b9c5e76bad57eedf1d3cdba244bb05811f64536 (6.5.1)
https://github.com/jupyter/nbconvert/commit/d2d44d4c69ba0edb3a68b5579138603505d98c19 (6.5.1)
https://github.com/jupyter/nbconvert/commit/37b152c0ad04fe53e782887b78662c8ffad1034a (6.5.1)
https://github.com/jupyter/nbconvert/commit/df5cb60d58e5a159da1b33a9d7e7ea14e8637853 (6.5.1)
https://github.com/jupyter/nbconvert/commit/48fe71eb3335caf4e03166e56e0d16efcfbeaf44 (6.5.1)
https://github.com/jupyter/nbconvert/commit/a03cbb8a8d04d47aefec51e7b1b816045682aed5 (6.5.1)
https://github.com/jupyter/nbconvert/commit/b206470f9ecd71b006a37dd1298dd3d9e3dd46dd (6.5.1)
https://github.com/jupyter/nbconvert/commit/0818628718c4a5d3ddd671fbd4881bf176e7d6e2 (6.5.1)
https://github.com/jupyter/nbconvert/commit/bef65d7ab2a469b01e4aa25f44c0f20326f7c7c5 (6.5.1)
Follow-up/regression https://github.com/jupyter/nbconvert/commit/c289e0a61660e612920397799169ed2c5ed35516 (6.5.2)
Follow-up/regression https://github.com/jupyter/nbconvert/commit/1652aa73b0f4900af97c0f1ac08e9573e00155bd (6.5.3)

Search for package or bug name: Reporting problems