Stored XSS in Jupyter nbdime

High

vidartf published GHSA-p6rw-44q7-3fw4

Nov 3, 2021

Package

nbdime (pip)

Affected versions

<1.1.1, >=2.0.0, <2.1.1, >=3.0.0, <3.1.1

Patched versions

1.1.1, 2.1.1, 3.1.1

nbdime (npm)

< 5.0.2 || ^6 <6.1.2

5.0.2, 6.1.2

nbdime-jupyterlab (npm)

< 1.0.1 || ^2 <2.1.1

1.0.1, 2.1.1

Description

Impact

Improper handling of user controlled input caused a stored cross-site scripting (XSS) vulnerability. All previous versions of nbdime are affected.

Patches

Security patches will be released for each of the major versions of the nbdime packages since version 1.x of the nbdime python package.

Python

nbdime 1.x: Patched in v. 1.1.1
nbdime 2.x: Patched in v. 2.1.1
nbdime 3.x: Patched in v. 3.1.1

npm

nbdime 6.x version: Patched in 6.1.2
nbdime 5.x version: Patched in 5.0.2
nbdime-jupyterlab 1.x version: Patched in 1.0.1
nbdime-jupyterlab 2.x version: Patched in 2.1.1

For more information

If you have any questions or comments about this advisory email us at [email protected].

Weaknesses

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

The product does not adequately filter user-controlled input for special elements with control implications. Learn more on MITRE.

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.