Impact
Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment.
Patches
0.10.2
Workarounds
None, other than upgrade to 0.10.2 or downgrade to 0.8.x.
For more information
If you have any questions or comments about this advisory:
- Open an issue in nbgitpuller
- Email our security team at security@ipython.org
References
- https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
- https://nvd.nist.gov/vuln/detail/CVE-2021-39160
- https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
- https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102—2021-08-25
- https://github.com/advisories/GHSA-mq5p-2mcr-m52j