nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

对路径名的限制不恰当(路径遍历)

nbconvert 路径遍历漏洞

nbconvert是Jupyter组织的一个格式转换库。将 Jupyter .ipynb 笔记本文档文件转换为另一种静态格式，包括 HTML、LaTeX、PDF、Markdown 等。 nbconvert 6.5版本至7.17.0版本存在路径遍历漏洞，该漏洞源于当HTMLExporter.embed_images=True时，markdown渲染器允许通过图像引用中的路径遍历任意读取文件，可能导致恶意笔记本通过base64数据URI将敏感文件外泄到输出HTML中。

N/A

N/A