Vulnerability Description
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jupyterhub | Nbgitpuller | >= 0.9.0, < 0.10.2 |
Related Weaknesses (CWE)
References
- https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-Release NotesThird Party Advisory
- https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3PatchThird Party Advisory
- https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52Third Party Advisory
- https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-Release NotesThird Party Advisory
- https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3PatchThird Party Advisory
- https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52Third Party Advisory
FAQ
What is CVE-2021-39160?
CVE-2021-39160 is a vulnerability with a CVSS score of 9.6 (CRITICAL). nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the...
How severe is CVE-2021-39160?
CVE-2021-39160 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-39160?
Check the references section above for vendor advisories and patch information. Affected products include: Jupyterhub Nbgitpuller.