oss-sec mailing list archives
Re: CVE Request: Maliciously crafted text files in IPython/Jupyter editor
From: cve-assign () mitre org
Date: Thu, 24 Sep 2015 00:16:21 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Software name: IPython notebook / Jupyter notebook Type of vulnerability: Maliciously forged file Attack outcome: Possible remote execution
Vulnerability: A maliciously forged file opened for editing can execute javascript, specifically by being redirected to /files/ due to a failure to treat the file as plain text.
Affected versions: - IPython 3.0 <= version <= 3.2.1 - notebook 4.0 <= 4.0.4 URI with issues: - GET /edit/**
Patches: - IPython 3.x: https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967 - Jupyter 4.0.x: https://github.com/jupyter/notebook/commit/9e63dd89b603dfbe3a7e774d8a962ee0fa30c0b5
Use CVE-2015-7337. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWA3g8AAoJEL54rhJi8gl5nPYQALND4562BMNgf8AljcDNH/t7 vslyEpM0547uN1Nrss+wTkXgAbkVDtggguPoE1Ok/I6PQP2D586Gp+V8TnKPiMBq u7i34j++T1E0eWtK/vV40Bx3oPNKdfO3pv54wJDvgToBIUc5f5yBffueejQtmGHS WNIhDSCRu0YNzV1Qw1hydLZiRu22JTP2PRCMAI+Go15v8iXq0dBtDE/c7hjyKkIK hCc3pCT+JQnOtjOENMa1A1V/pdT3y87FB8/wWYzCoBYzaYnJy1dEa+ZHDjRWoQSJ Y0kDRT/NzxMrXvnRNxgoaTITdk1vNooTXv3vn8U7omVIBf2AUjM6jXAZ1Kdve4Cz 3D9eXibuBKCcgu3RSKhvVJrX8LcewVlJPUudqFjRA4btBljEI61K81t389Mrmb7o saxXyaeUc0qaJ4yaXf9Zf5B7XTMcUU7dZtTOMZouDYL5l+od2sgxNzcerPC9tJg5 L9mIDaKKq0JraiExeRPJ623dh1iYPf1e3MediffPXJXA2fl6G8rZQU2IMUeXW14O /tBZeKxExdpRM/D/HfMb8bw9kryzWlIxPINHl9UbM/4V3+kg7boDwPpOaFXS+94P epoZxo7DbjesPCZ0MfDsPcw+ap2g19QCU5X9ey8Dj49Pc3TrqTybCMwEM7z74fOI Tgy1TA0PSNfSgpJ2EuNQ =KkUJ -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Maliciously crafted text files in IPython/Jupyter editor MinRK (Sep 16)
- Re: CVE Request: Maliciously crafted text files in IPython/Jupyter editor MinRK (Sep 22)
- Re: CVE Request: Maliciously crafted text files in IPython/Jupyter editor cve-assign (Sep 23)