CVE-2021-41134 – CVE-2021-41134 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2021-41134?

CVE-2021-41134 has a CVSS score of 8.7 (HIGH). CVE-2021-41134 is a stored cross-site scripting (XSS) vulnerability in nbdime, a tool for diffing and merging Jupyter Notebooks. Attackers can inject malicious scripts into notebook filenames that execute when users view diffs, potentially stealing session cookies or performing unauthorized actions. Users of affected nbdime versions who view notebook diffs are vulnerable.

📋 TL;DR

CVE-2021-41134 is a stored cross-site scripting (XSS) vulnerability in nbdime, a tool for diffing and merging Jupyter Notebooks. Attackers can inject malicious scripts into notebook filenames that execute when users view diffs, potentially stealing session cookies or performing unauthorized actions. Users of affected nbdime versions who view notebook diffs are vulnerable.

💻 Affected Systems

Products:

nbdime

Versions: All versions before the fix

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when using diffNotebookCheckpoint function to display notebook diffs.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, hijack accounts, perform unauthorized actions in Jupyter environments, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized access to Jupyter notebooks and data, or defacement of the diff interface.

🟢

If Mitigated

No impact if proper input sanitization is implemented or if users don't view diffs of malicious notebooks.

🌐 Internet-Facing: MEDIUM - Requires user interaction (viewing a diff) and typically affects internal tools rather than public-facing services.

🏢 Internal Only: HIGH - Jupyter environments are commonly used internally for data science, and stored XSS can persist across sessions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or rename notebook files with malicious payloads in filenames, then trick users into viewing diffs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit e44a5cc7677f24b45ebafc756db49058c2f750ea

Vendor Advisory: https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4

Restart Required: No

Instructions:

1. Update nbdime to latest version using pip: 'pip install --upgrade nbdime' 2. Verify installation with 'nbdime --version' 3. No restart required as it's a Python package.

🔧 Temporary Workarounds

Avoid viewing diffs of untrusted notebooks

all

Do not use diffNotebookCheckpoint function on notebooks from untrusted sources

Sanitize notebook filenames

all

Implement custom filename validation to remove HTML/script tags before processing

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in filenames
Restrict user permissions to prevent malicious notebook file creation/renaming

🔍 How to Verify

Check if Vulnerable:

Check nbdime version: 'nbdime --version' and compare to patched versions. If using source, check for commit e44a5cc7677f24b45ebafc756db49058c2f750ea.

Check Version:

nbdime --version

Verify Fix Applied:

After update, test by creating a notebook with XSS payload in filename and verifying diff view doesn't execute scripts.

📡 Detection & Monitoring

Log Indicators:

Unusual notebook filenames containing script tags or JavaScript code
Multiple failed diff operations

Network Indicators:

Outbound connections to suspicious domains after viewing notebook diffs

SIEM Query:

filename:*<script* OR filename:*javascript:* AND process:nbdime

📊 Metadata

CVE ID: CVE-2021-41134

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: November 3, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea Patch,Third Party Advisory
https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4 Third Party Advisory
https://github.com/jupyter/nbdime/commit/e44a5cc7677f24b45ebafc756db49058c2f750ea Patch,Third Party Advisory
https://github.com/jupyter/nbdime/security/advisories/GHSA-p6rw-44q7-3fw4 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41134, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nbdime by Jupyter

Nbdime by Jupyter

Nbdime by Jupyter

Nbdime by Jupyter

Nbdime by Jupyter

Nbdime Jupyterlab by Jupyter

Nbdime Jupyterlab by Jupyter

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Avoid viewing diffs of untrusted notebooks

Sanitize notebook filenames

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities