nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.
References
Link | Resource |
---|---|
https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25 | Release Notes Third Party Advisory |
https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481 | Patch Third Party Advisory |
https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-08-25T18:10:11
Updated: 2021-08-25T18:10:11
Reserved: 2021-08-16T00:00:00
Link: CVE-2021-39160
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-08-25T18:15:08.487
Modified: 2022-10-25T17:51:34.913
Link: CVE-2021-39160
JSON object: View
Redhat Information
No data.