CVE-2021-39160
CRITICALnbgitpuller 0.9.0-0.10.1 - OS Command Injection via Malicious Link
Title source: llmDescription
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25
Scores
CVSS v3
9.6
EPSS
0.0168
EPSS Percentile
73.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
CWE-94
Status
published
Products (2)
jupyterhub/nbgitpuller
0.9.0 - 0.10.2
pypi/nbgitpuller
0.9.0 - 0.10.2PyPI
Published
Aug 25, 2021
Tracked Since
Feb 18, 2026