GHSA-p6rw-44q7-3fw4

Source

https://github.com/advisories/GHSA-p6rw-44q7-3fw4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-p6rw-44q7-3fw4/GHSA-p6rw-44q7-3fw4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-p6rw-44q7-3fw4

Aliases

Published

2021-11-08T18:09:27Z

Modified

2024-10-01T19:46:48.301301Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Stored XSS in Jupyter nbdime

Details

Impact

Improper handling of user controlled input caused a stored cross-site scripting (XSS) vulnerability. All previous versions of nbdime are affected.

Patches

Security patches will be released for each of the major versions of the nbdime packages since version 1.x of the nbdime python package.

Python

nbdime 1.x: Patched in v. 1.1.1
nbdime 2.x: Patched in v. 2.1.1
nbdime 3.x: Patched in v. 3.1.1

npm

nbdime 6.x version: Patched in 6.1.2
nbdime 5.x version: Patched in 5.0.2
nbdime-jupyterlab 1.x version: Patched in 1.0.1
nbdime-jupyterlab 2.x version: Patched in 2.1.1

For more information

If you have any questions or comments about this advisory email us at security@ipython.org.

Database specific

{
    "nvd_published_at": "2021-11-03T18:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-03T18:13:40Z"
}

References

Affected packages

PyPI / nbdime

Package

Name: nbdime; View open source insights on deps.dev
Purl: pkg:pypi/nbdime

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.1

Affected versions

0.*

0.1.0.dev

0.1.0b1

0.1.0

0.1.1

0.1.2

0.2.0

0.3.0

0.4.0

0.4.1

1.*

1.0.0rc0

1.0.0rc1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

PyPI / nbdime

Package

Name: nbdime; View open source insights on deps.dev
Purl: pkg:pypi/nbdime

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.1

Affected versions

2.*

2.0.0

2.1.0

PyPI / nbdime

Package

Name: nbdime; View open source insights on deps.dev
Purl: pkg:pypi/nbdime

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.1

Affected versions

3.*

3.0.0

3.1.0

npm / nbdime

Package

Name: nbdime; View open source insights on deps.dev
Purl: pkg:npm/nbdime

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2

npm / nbdime

Package

Name: nbdime; View open source insights on deps.dev
Purl: pkg:npm/nbdime

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

6.1.2

npm / nbdime-jupyterlab

Package

Name: nbdime-jupyterlab; View open source insights on deps.dev
Purl: pkg:npm/nbdime-jupyterlab

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.1