[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3442-1] nbconvert security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-3442-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
June 03, 2023                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : nbconvert
Version        : 5.4-2+deb10u1
CVE ID         : CVE-2021-32862

Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.

When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).

  * GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
  * GHSL-2021-1014: XSS in notebook.metadata.title;
  * GHSL-2021-1015: XSS in notebook.metadata.widgets;
  * GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
  * GHSL-2021-1017: XSS in output data text/html cells;
  * GHSL-2021-1018: XSS in output data image/svg+xml cells;
  * GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
  * GHSL-2021-1020: XSS in output data text/markdown cells;
  * GHSL-2021-1021: XSS in output data application/javascript cells;
  * GHSL-2021-1022: XSS in output.metadata.filenames image/png and
    image/jpeg;
  * GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
  * GHSL-2021-1024: XSS in output.metadata.width/height image/png and
    image/jpeg;
  * GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+
    json cells;
  * GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+
    json cells;
  * GHSL-2021-1027: XSS in raw cells; and
  * GHSL-2021-1028: XSS in markdown cells.

Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
-1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution.  These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option `sanitize_html`.

For Debian 10 buster, this problem has been fixed in version
5.4-2+deb10u1.

We recommend that you upgrade your nbconvert packages.

For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: