Bug 865721 (CVE-2021-32862)

Summary:	dev-python/nbconvert: arbitrary html injection
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	minor	CC:	arthurzam, python, sci
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq
Whiteboard:	B4 [??]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2022-08-18 21:37:58 UTC

CVE-2021-32862:

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

This advisory says this is fixed in 6.3 but it also says only 5.5.0
was tested. Commits between 6.2.0 and 6.3.0 also don't seem relevant.

Comment 1 Arthur Zamarin archtester

2022-08-19 05:18:08 UTC

The current smallest version of nbconvert is 6.5.0-r1, so I don't think there is a need for an action?

Comment 2 John Helmert III archtester

2022-08-20 17:26:41 UTC

I couldn't verify the fixes were in the release that the advisory alleges, so we need to verify the advisory is correct.