CVE-2021-39160 — Code injection in nbgitpuller

Description

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

How to fix CVE-2021-39160

To remediate CVE-2021-39160, upgrade the affected package to a fixed version below.

—upgrade to 0.10.2 or later
—upgrade to 07690644f29a566011dd0d7ba14cae3eb0490481 or later

Is CVE-2021-39160 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 0.9.0, < 0.10.2
from 0, < 07690644f29a566011dd0d7ba14cae3eb0490481 | >= 0.9.0, < 0.10.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-39160
PATCHgithub.com/jupyterhub/nbgitpuller
WEBgithub.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25
WEBgithub.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481