CVE-2021-39160 Vulnerability Details

  /     /     /  

CVE-2021-39160 Metadata Quick Info

CVE Published: 25/08/2021 | CVE Updated: 04/08/2024 | CVE Year: 2021
Source: GitHub_M | Vendor: jupyterhub | Product: nbgitpuller
Status : PUBLISHED

---

CVE-2021-39160 Description

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

Metrics

CVSS Version: 3.1 | Base Score: 9.6 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-94
CWE Name: CWE-94: Improper Control of Generation of Code ( Code Injection )
Source: jupyterhub

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).