Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1xNXAtMm1jci1tNTJq
Code injection in nbgitpuller
Impact
Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment.
Patches
0.10.2
Workarounds
None, other than upgrade to 0.10.2 or downgrade to 0.8.x.
For more information
If you have any questions or comments about this advisory:
- Open an issue in nbgitpuller
- Email our security team at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1xNXAtMm1jci1tNTJq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-mq5p-2mcr-m52j, CVE-2021-39160
References:
- https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
- https://nvd.nist.gov/vuln/detail/CVE-2021-39160
- https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
- https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25
- https://github.com/advisories/GHSA-mq5p-2mcr-m52j
Blast Radius: 20.7
Affected Packages
pypi:nbgitpuller
Dependent packages: 2Dependent repositories: 226
Downloads: 26,532 last month
Affected Version Ranges: >= 0.9.0, <= 0.10.1
Fixed in: 0.10.2
All affected versions: 0.9.0, 0.10.0, 0.10.1
All unaffected versions: 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.10.2, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1