High severityNVD Advisory· Published Aug 9, 2021· Updated Aug 3, 2024
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in notebook
CVE-2021-32798
Description
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
notebookPyPI | < 5.7.11 | 5.7.11 |
notebookPyPI | >= 6.0.0, < 6.4.1 | 6.4.1 |
Affected products
6- osv-coords5 versionspkg:bitnami/jupyter-base-notebookpkg:bitnami/jupyter-notebookpkg:pypi/notebookpkg:rpm/opensuse/python-notebook&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/python-notebook&distro=SUSE%20Package%20Hub%2015%20SP6
>= 5.7.0, < 5.7.11+ 4 more
- (no CPE)range: >= 5.7.0, < 5.7.11
- (no CPE)range: >= 5.7.0, < 5.7.11
- (no CPE)range: < 5.7.11
- (no CPE)range: < 5.7.11-bp156.4.3.1
- (no CPE)range: < 5.7.11-bp156.4.3.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-hwvq-6gjx-j797ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32798ghsaADVISORY
- github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5ghsax_refsource_MISCWEB
- github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2021-118.yamlghsaWEB
News mentions
0No linked articles in our index yet.