CVE-2021-39160 Information

Jun 07, 2022 cve

Description

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102—2021-08-25 https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: