CVE-2021-39160 CRITICAL

CVE-2021-39160: Code injection in nbgitpuller

Vendor Jupyterhub
Product nbgitpuller
Weakness CWE-94 · Code injection
Published August 25, 2021
Last update August 4, 2024

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

Key dates

02Disclosure timeline

August 25, 2021 CVE published
August 4, 2024 Record updated