Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3442-1 nbconvert

Debian Security Advisory

DLA-3442-1 nbconvert -- LTS security update

Date Reported:

03 Jun 2023

Affected Packages:

nbconvert

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2021-32862.

More information:

Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert, a tool and library used to convert notebooks to various other formats via Jinja templates.

When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server without tight Content-Security-Policy (e.g., nbviewer).

1. GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
2. GHSL-2021-1014: XSS in notebook.metadata.title;
3. GHSL-2021-1015: XSS in notebook.metadata.widgets;
4. GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
5. GHSL-2021-1017: XSS in output data text/html cells;
6. GHSL-2021-1018: XSS in output data image/svg+xml cells;
7. GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
8. GHSL-2021-1020: XSS in output data text/markdown cells;
9. GHSL-2021-1021: XSS in output data application/javascript cells;
10. GHSL-2021-1022: XSS in output.metadata.filenames image/png and image/jpeg;
11. GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
12. GHSL-2021-1024: XSS in output.metadata.width/height image/png and image/jpeg;
13. GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+json cells;
14. GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+json cells;
15. GHSL-2021-1027: XSS in raw cells; and
16. GHSL-2021-1028: XSS in markdown cells.

Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021 and -1028, are actually design decisions where text/html, text/markdown, application/javascript and markdown cells should allow for arbitrary JavaScript code execution. These vulnerabilities are therefore left open by default, but users can now opt-out and strip down all JavaScript elements via a new HTMLExporter option sanitize_html.

For Debian 10 buster, this problem has been fixed in version 5.4-2+deb10u1.

We recommend that you upgrade your nbconvert packages.

For the detailed security status of nbconvert please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nbconvert

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS