CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.0%
Package : nbconvert
Version : 5.4-2+deb10u1
CVE ID : CVE-2021-32862
Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.
When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).
Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
-1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution. These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option sanitize_html
.
For Debian 10 buster, this problem has been fixed in version
5.4-2+deb10u1.
We recommend that you upgrade your nbconvert packages.
For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 11 | all | python-nbconvert-doc | < 5.6.1-3+deb11u1 | python-nbconvert-doc_5.6.1-3+deb11u1_all.deb |
Debian | 10 | all | python-nbconvert-doc | < 5.4-2+deb10u1 | python-nbconvert-doc_5.4-2+deb10u1_all.deb |
Debian | 11 | all | nbconvert | < 5.6.1-3+deb11u1 | nbconvert_5.6.1-3+deb11u1_all.deb |
Debian | 10 | all | jupyter-nbconvert | < 5.4-2+deb10u1 | jupyter-nbconvert_5.4-2+deb10u1_all.deb |
Debian | 10 | all | nbconvert | < 5.4-2+deb10u1 | nbconvert_5.4-2+deb10u1_all.deb |
Debian | 10 | all | python-nbconvert | < 5.4-2+deb10u1 | python-nbconvert_5.4-2+deb10u1_all.deb |
Debian | 11 | all | python3-nbconvert | < 5.6.1-3+deb11u1 | python3-nbconvert_5.6.1-3+deb11u1_all.deb |
Debian | 11 | all | jupyter-nbconvert | < 5.6.1-3+deb11u1 | jupyter-nbconvert_5.6.1-3+deb11u1_all.deb |
Debian | 10 | all | python3-nbconvert | < 5.4-2+deb10u1 | python3-nbconvert_5.4-2+deb10u1_all.deb |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.0%