Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 865721 (CVE-2021-32862) - dev-python/nbconvert: arbitrary html injection
Summary: dev-python/nbconvert: arbitrary html injection
Alias: CVE-2021-32862
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [??]
Depends on:
Reported: 2022-08-18 21:37 UTC by John Helmert III
Modified: 2022-08-20 17:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 21:37:58 UTC

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

This advisory says this is fixed in 6.3 but it also says only 5.5.0
was tested. Commits between 6.2.0 and 6.3.0 also don't seem relevant.
Comment 1 Arthur Zamarin archtester gentoo-dev 2022-08-19 05:18:08 UTC
The current smallest version of nbconvert is 6.5.0-r1, so I don't think there is a need for an action?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-20 17:26:41 UTC
I couldn't verify the fixes were in the release that the advisory alleges, so we need to verify the advisory is correct.