Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3180
nbconvert security update
5 June 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: nbconvert
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32862
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/06/msg00003.html
Comment: CVSS (Max): 5.4 CVE-2021-32862 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3442-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
June 03, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nbconvert
Version : 5.4-2+deb10u1
CVE ID : CVE-2021-32862
Alvaro Munoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.
When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).
* GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
* GHSL-2021-1014: XSS in notebook.metadata.title;
* GHSL-2021-1015: XSS in notebook.metadata.widgets;
* GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
* GHSL-2021-1017: XSS in output data text/html cells;
* GHSL-2021-1018: XSS in output data image/svg+xml cells;
* GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
* GHSL-2021-1020: XSS in output data text/markdown cells;
* GHSL-2021-1021: XSS in output data application/javascript cells;
* GHSL-2021-1022: XSS in output.metadata.filenames image/png and
image/jpeg;
* GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
* GHSL-2021-1024: XSS in output.metadata.width/height image/png and
image/jpeg;
* GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+
json cells;
* GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+
json cells;
* GHSL-2021-1027: XSS in raw cells; and
* GHSL-2021-1028: XSS in markdown cells.
Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
- -1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution. These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option `sanitize_html`.
For Debian 10 buster, this problem has been fixed in version
5.4-2+deb10u1.
We recommend that you upgrade your nbconvert packages.
For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmR7RCAACgkQ05pJnDwh
pVKb6Q/9HQR3dK9+JHFugSj2oRQyogpbFYDFaKYaItkTbdSpaIJ3vTZ23NiYb/mi
J8Rk0M3dygHOvnGLze5TPHTW2WGYW+B2pWXwLPF6lt2HluzWwG/t53Mj+jE3PSTW
LL5kH7eKSYoHSiHkSj6fr6oPS11zL4xOWWD828rswmPlzfhE46tSGakvEx36xQla
ClDr5wC1Ee7UnI61q9Wk9UGpWlASdzpViAwjg0UW5lqVuk2kPp9AaRnTMcvIJ10F
nG+5zYGrDA5YMYFNsxey1GN0OOjchCFAcU4Mr8HN7GNx0u72aDJDfkYqY2t7SgYn
ThD1bjQ1TEfzTQc+6/V0MNWY0fmNbXbK6UESg5jreaKGSSHI85+pgSKPKGNPF9g6
ZIonrWhDSwQ/kA7plefnqSesGi/dsP6prkY0QfmuUMGZuPlq9dTqXqQh0infKlMI
wCFBpHNEfU4tRHBTag+FLHrSYj6PDqm1DcWf2FLKjSL7DoX3VE/hD8ftT5GvLjag
Scd91OyExPTjT3I0yRnq6bkUmGLGFmYXq49SPrTJtCt2tmFz02HDauJOJqZmYgo5
HlLXdo/RFWkjRpg0yXa6Lj6+ZR5OFfLEWeN0LsofMH0SwdDzABvV5ukKwMNIFcS5
xDBnc2+EQvV9Pa/Y57sEBdxwY+o9bJCcJYWffRPWsMIR2wdISpY=
=kdo5
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZH1Kn8kNZI30y1K9AQgirw/9Gge85ozveGX+M7KnIpwjerpxLUZjtAgz
dn5c4beV+wpdGLtQrVTygi91Ox173jgkrpIJjeNY4HMc/OuaeUtKJJraqe74vS45
WZX9qTg8r/wYmUaikkJ9pDngZRg8ymZ1zVWeeYA6mscdM83opsDOVNBpnvX6NKFh
9NgONfL42rBUeAXBlm7p3J1WgDj71Zn9e8GdMNXfxRNFzdFj1rcp6kx0KbSTihxB
4s228Oo7ftjXgbW3geHxGi8Gkr8e+9L/zUYaFbOBWuVrfh1FCOYFlKlhQfEwAObs
RJho6815WLsUYAucFGd/HkJ2CJrJwCE/4tqMIhR+CkgGkCW/EMorkCno53nb7Dtf
5NHEq/Y2OrWGhDQx8t+DS8lPzJaFPhgu6c4kIaJTQoJuV7vizcvU4xNSCxm0GoF1
my5SqcDpiWNhmtNa4eQ4bBze5CvLBtXUe7+Og6dfdj1MwB2hm/ZdDgMJ+Ok82tTl
iuLznI66IvL+tyJ30jwH5lv8U0yG9NFtwpc6W+a90mL2hr8W7td48qzjRoYgzxDs
BJaxEBBReRkFvp3mE3CVwSt33GoE692J/FLubf8YEQGPJxLnd02Az5k8p+M9U5+8
nTE99CYzY0VSagyhfUwxUhaOvy4gjBjt3UkwumbdCIKg2Bgx8rRK2HNvBFI6AUf0
meb0wuTf5tw=
=U6dU
-----END PGP SIGNATURE-----