Re: CVE Request: Maliciously crafted text files in IPython/Jupyter editor

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Software name: IPython notebook / Jupyter notebook
> Type of vulnerability: Maliciously forged file
> Attack outcome: Possible remote execution

> Vulnerability: A maliciously forged file opened for editing can execute
> javascript, specifically by being redirected to /files/ due to a failure to
> treat the file as plain text.

> Affected versions:
>
> - IPython 3.0 <= version <= 3.2.1
> - notebook 4.0 <= 4.0.4
>
> URI with issues:
>
> - GET /edit/**

> Patches:
>
> - IPython 3.x: https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967
>
> - Jupyter 4.0.x: https://github.com/jupyter/notebook/commit/9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b5

Use CVE-2015-7337.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWA3g8AAoJEL54rhJi8gl5nPYQALND4562BMNgf8AljcDNH/t7
vslyEpM0547uN1Nrss+wTkXgAbkVDtggguPoE1Ok/I6PQP2D586Gp+V8TnKPiMBq
u7i34j++T1E0eWtK/vV40Bx3oPNKdfO3pv54wJDvgToBIUc5f5yBffueejQtmGHS
WNIhDSCRu0YNzV1Qw1hydLZiRu22JTP2PRCMAI+Go15v8iXq0dBtDE/c7hjyKkIK
hCc3pCT+JQnOtjOENMa1A1V/pdT3y87FB8/wWYzCoBYzaYnJy1dEa+ZHDjRWoQSJ
Y0kDRT/NzxMrXvnRNxgoaTITdk1vNooTXv3vn8U7omVIBf2AUjM6jXAZ1Kdve4Cz
3D9eXibuBKCcgu3RSKhvVJrX8LcewVlJPUudqFjRA4btBljEI61K81t389Mrmb7o
saxXyaeUc0qaJ4yaXf9Zf5B7XTMcUU7dZtTOMZouDYL5l+od2sgxNzcerPC9tJg5
L9mIDaKKq0JraiExeRPJ623dh1iYPf1e3MediffPXJXA2fl6G8rZQU2IMUeXW14O
/tBZeKxExdpRM/D/HfMb8bw9kryzWlIxPINHl9UbM/4V3+kg7boDwPpOaFXS+94P
epoZxo7DbjesPCZ0MfDsPcw+ap2g19QCU5X9ey8Dj49Pc3TrqTybCMwEM7z74fOI
Tgy1TA0PSNfSgpJ2EuNQ
=KkUJ
-----END PGP SIGNATURE-----