CVE-2021-39160
9.6 CRITICALnbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path
Published: 2021-08-25 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.6 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- CWE
- CWE-78, CWE-94
Affected products
| Vendor | Product |
|---|---|
| jupyterhub | nbgitpuller |
Description
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39160
- [Other]https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25
- [Patch]https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
- [Other]https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
- [Other]https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25
- [Patch]https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
- [Other]https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
Related CVEs
Same vendor
- CVE-2021-41194 — FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub (9.1 CRITICAL)
Same CWE
- CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
- CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
- CVE-2026-24155 — NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
- CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
- CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)