865721 – (CVE-2021-32862) dev-python/nbconvert: arbitrary html injection

Bug 865721 (CVE-2021-32862) - dev-python/nbconvert: arbitrary html injection

Summary: dev-python/nbconvert: arbitrary html injection

Status:	CONFIRMED

Alias:	CVE-2021-32862

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/jupyter/nbconvert/...
Whiteboard:	B4 [??]
Keywords:

Depends on:
Blocks:

Reported:	2022-08-18 21:37 UTC by John Helmert III
Modified:	2024-06-07 08:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-08-18 21:37:58 UTC

CVE-2021-32862:

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

This advisory says this is fixed in 6.3 but it also says only 5.5.0
was tested. Commits between 6.2.0 and 6.3.0 also don't seem relevant.

Comment 1 Arthur Zamarin archtester

2022-08-19 05:18:08 UTC

The current smallest version of nbconvert is 6.5.0-r1, so I don't think there is a need for an action?

Comment 2 John Helmert III archtester

2022-08-20 17:26:41 UTC

I couldn't verify the fixes were in the release that the advisory alleges, so we need to verify the advisory is correct.