CVE-2021-32798
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in notebook
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
Jupyter notebook, es un entorno de cuaderno basado en la web para la computación interactiva. En las versiones afectadas, el cuaderno no fiable puede ejecutar código al cargarlo. Jupyter Notebook usa una versión obsoleta de Google Caja para sanear las entradas del usuario. Una omisión pública de Caja puede ser usado para desencadenar un ataque de tipo XSS cuando una víctima abre un documento ipynb malicioso en Jupyter Notebook. El ataque de tipo XSS permite a un atacante ejecutar código arbitrario en el ordenador de la víctima usando las API de Jupyter
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-08-09 CVE Published
- 2024-07-15 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5 | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jupyter Search vendor "Jupyter" | Notebook Search vendor "Jupyter" for product "Notebook" | >= 5.7.0 < 5.7.11 Search vendor "Jupyter" for product "Notebook" and version " >= 5.7.0 < 5.7.11" | - |
Affected
| ||||||
Jupyter Search vendor "Jupyter" | Notebook Search vendor "Jupyter" for product "Notebook" | 6.4.0 Search vendor "Jupyter" for product "Notebook" and version "6.4.0" | - |
Affected
|