Bug 2020261 (CVE-2021-41134) - CVE-2021-41134 nbdime: diffNotebookCheckpoint does not sanitize strings before displaying
Summary: CVE-2021-41134 nbdime: diffNotebookCheckpoint does not sanitize strings befor...
Keywords:
Status: NEW
Alias: CVE-2021-41134
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2020262
TreeView+ depends on / blocked
 
Reported: 2021-11-04 13:39 UTC by Michael Kaplan
Modified: 2023-07-07 08:29 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-11-04 13:39:05 UTC 
In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product.

References:

https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea
https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
Comment 1 juneau 2021-11-05 19:02:40 UTC 
Setting services-rhods "affected (low) delegated." Affected packaged exists in manifest(s), but appears unused.
Note You need to log in before you can comment on or make changes to this bug.