=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN591
_____________________________________________________________________

DATE                : 04/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jupyter nbdime versions prior to
                                   1.1.1, 2.1.1, 3.1.1.

=====================================================================
https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4
_____________________________________________________________________

Stored XSS in Jupyter nbdime

high
vidartf published GHSA-p6rw-44q7-3fw4 Nov 3, 2021

Package
nbdime (pip)

Affected versions
<1.1.1, >=2.0.0, <2.1.1, >=3.0.0, <3.1.1

Patched versions
1.1.1, 2.1.1, 3.1.1


Description

Impact

Improper handling of user controlled input caused a stored cross-site
scripting (XSS) vulnerability. All previous versions of nbdime are
affected.


Patches

Security patches will be released for each of the major versions of the
nbdime packages since version 1.x of the nbdime python package.


Python

    nbdime 1.x: Patched in v. 1.1.1
    nbdime 2.x: Patched in v. 2.1.1
    nbdime 3.x: Patched in v. 3.1.1

npm

    nbdime 6.x version: Patched in 6.1.2
    nbdime 5.x version: Patched in 5.0.2
    nbdime-jupyterlab 1.x version: Patched in 1.0.1
    nbdime-jupyterlab 2.x version: Patched in 2.1.1


For more information

If you have any questions or comments about this advisory email us at
security@ipython.org.



CVE ID
CVE-2021-41134

CWEs
CWE-75 CWE-80



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================