Опубликовано: 30 авг. 2021
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 8.8
Описание
Code injection in nbgitpuller
Impact
Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment.
Patches
0.10.2
Workarounds
None, other than upgrade to 0.10.2 or downgrade to 0.8.x.
For more information
If you have any questions or comments about this advisory:
- Open an issue in nbgitpuller
- Email our security team at security@ipython.org
Ссылки
- https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
- https://nvd.nist.gov/vuln/detail/CVE-2021-39160
- https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
- https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25
- https://github.com/pypa/advisory-database/tree/main/vulns/nbgitpuller/PYSEC-2021-315.yaml
Пакеты
Наименование
nbgitpuller
pip
Затронутые версииВерсия исправления
>= 0.9.0, <= 0.10.1
0.10.2
Связанные уязвимости
CVSS3: 9.6
nvd
больше 4 лет назад
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.