nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. This issue has been patched in version 7.17.0.

N/A

对搜索路径元素未加控制

nbconvert 代码问题漏洞

nbconvert是Jupyter组织的一个格式转换库。将 Jupyter .ipynb 笔记本文档文件转换为另一种静态格式，包括 HTML、LaTeX、PDF、Markdown 等。 nbconvert 7.16.6及之前版本存在代码问题漏洞，该漏洞源于转换包含SVG输出的笔记本为PDF时处理不当，可能导致未授权代码执行。

N/A

N/A