CVE-2021-32862

Description

The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).

How to fix CVE-2021-32862

To remediate CVE-2021-32862, upgrade the affected package to a fixed version below.

• —upgrade to 5.6.1-3+deb11u1 or later
• —upgrade to 5.4-2+deb10u1 or later
• —upgrade to 5.6.1-3+deb11u1 or later
• —upgrade to 6.5.1 or later
• —upgrade to 6.3.0a0 or later

Is CVE-2021-32862 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 5.6.1-3+deb11u1
• from 0, < 5.4-2+deb10u1
• from 0, < 5.6.1-3+deb11u1
• from 0, < 6.5.1
• from 0, < 6.3.0a0

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32862
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-32862
• PATCHgithub.com/jupyter/nbconvert
• WEBgithub.com/jupyter/nbconvert/security/advisories/GHSA-9jmq-rx5f-8jwq