Skip to content

Stored XSS in Jupyter nbdime

High
vidartf published GHSA-p6rw-44q7-3fw4 Nov 3, 2021

Package

pip nbdime (pip)

Affected versions

<1.1.1, >=2.0.0, <2.1.1, >=3.0.0, <3.1.1

Patched versions

1.1.1, 2.1.1, 3.1.1
npm nbdime (npm)
< 5.0.2 || ^6 <6.1.2
5.0.2, 6.1.2
npm nbdime-jupyterlab (npm)
< 1.0.1 || ^2 <2.1.1
1.0.1, 2.1.1

Description

Impact

Improper handling of user controlled input caused a stored cross-site scripting (XSS) vulnerability. All previous versions of nbdime are affected.

Patches

Security patches will be released for each of the major versions of the nbdime packages since version 1.x of the nbdime python package.

Python

  • nbdime 1.x: Patched in v. 1.1.1
  • nbdime 2.x: Patched in v. 2.1.1
  • nbdime 3.x: Patched in v. 3.1.1

npm

  • nbdime 6.x version: Patched in 6.1.2
  • nbdime 5.x version: Patched in 5.0.2
  • nbdime-jupyterlab 1.x version: Patched in 1.0.1
  • nbdime-jupyterlab 2.x version: Patched in 2.1.1

For more information

If you have any questions or comments about this advisory email us at [email protected].

Severity

High

CVE ID

CVE-2021-41134