{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"Medium"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"python-nbconvert security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for python-nbconvert is now available for openEuler-24.03-LTS-SP3",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"The nbconvert tool, jupyter nbconvert, converts notebooks to various other  formats via Jinja templates. The nbconvert tool allows you to convert an  .ipynb notebook file into various static formats including HTML, LaTeX,  PDF, Reveal JS, Markdown (md), ReStructured Text (rst) and executable script.\n\nSecurity Fix(es):\n\nThe nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.(CVE-2026-39377)\n\nThe nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.(CVE-2026-39378)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for python-nbconvert is now available for master/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"Medium",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"python-nbconvert",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2026-2196",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2196"
			},
			{
				"summary":"CVE-2026-39377",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-39377&packageName=python-nbconvert"
			},
			{
				"summary":"CVE-2026-39378",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-39378&packageName=python-nbconvert"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39377"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39378"
			},
			{
				"summary":"openEuler-SA-2026-2196 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2196.json"
			}
		],
		"title":"An update for python-nbconvert is now available for openEuler-24.03-LTS-SP3",
		"tracking":{
			"initial_release_date":"2026-05-03T18:08:25+08:00",
			"revision_history":[
				{
					"date":"2026-05-03T18:08:25+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2026-05-03T18:08:25+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2026-05-03T18:08:25+08:00",
			"id":"openEuler-SA-2026-2196",
			"version":"1.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"openEuler-24.03-LTS-SP3",
									"name":"openEuler-24.03-LTS-SP3"
								},
								"name":"openEuler-24.03-LTS-SP3",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"python-nbconvert-7.17.1-1.oe2403sp3.src.rpm",
									"name":"python-nbconvert-7.17.1-1.oe2403sp3.src.rpm"
								},
								"name":"python-nbconvert-7.17.1-1.oe2403sp3.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"python3-nbconvert-7.17.1-1.oe2403sp3.noarch.rpm",
									"name":"python3-nbconvert-7.17.1-1.oe2403sp3.noarch.rpm"
								},
								"name":"python3-nbconvert-7.17.1-1.oe2403sp3.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP3",
				"product_reference":"python-nbconvert-7.17.1-1.oe2403sp3.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP3:python-nbconvert-7.17.1-1.oe2403sp3.src",
					"name":"python-nbconvert-7.17.1-1.oe2403sp3.src as a component of openEuler-24.03-LTS-SP3"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP3",
				"product_reference":"python3-nbconvert-7.17.1-1.oe2403sp3.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP3:python3-nbconvert-7.17.1-1.oe2403sp3.noarch",
					"name":"python3-nbconvert-7.17.1-1.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2026-39377",
			"notes":[
				{
					"text":"The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS-SP3:python-nbconvert-7.17.1-1.oe2403sp3.src",
					"openEuler-24.03-LTS-SP3:python3-nbconvert-7.17.1-1.oe2403sp3.noarch"
				]
			},
			"remediations":[
				{
					"product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"},
					"details":"python-nbconvert security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2196"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"MEDIUM",
						"baseScore":6.5,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
						"version":"3.1"
					},
					"products":{"$ref":"$.vulnerabilities[0].product_status.fixed"}
				}
			],
			"threats":[
				{
					"details":"Medium",
					"category":"impact"
				}
			],
			"title":"CVE-2026-39377"
		},
		{
			"cve":"CVE-2026-39378",
			"notes":[
				{
					"text":"The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":{"$ref":"$.vulnerabilities[0].product_status.fixed"}
			},
			"remediations":[
				{
					"product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"},
					"details":"python-nbconvert security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2196"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"MEDIUM",
						"baseScore":6.5,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
						"version":"3.1"
					},
					"products":{"$ref":"$.vulnerabilities[0].product_status.fixed"}
				}
			],
			"threats":[
				{
					"details":"Medium",
					"category":"impact"
				}
			],
			"title":"CVE-2026-39378"
		}
	]
}