oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: maliciously crafted notebook files in Jupyter

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 17 Mar 2018 15:05:46 +0100
Hi,

On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:

Email address of requester: security () ipython org, thomas () kluyver me uk, benjaminrk () gmail com, jkamens () 
quantopian com, ssanderson () quantopian com

Software name: Jupyter Notebook (formerly IPython Notebook)
Type of vulnerability: Maliciously forged file
Attack outcome: Possible remote execution

Vulnerability: A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook 
context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Affected versions:

- notebook ≤ 5.4.0

URI with issues:

- GET /notebook/**

Patches:  not yet finalised

Mitigations:

Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
If using pip,

    pip install --upgrade notebook

For conda:

    conda update conda
    conda update notebook

Vulnerability reported by vkgonka () mail ru , via Jonathan Kamens at Quantopian


Thanks for the headsup.

This reply is mainly for this other purpose: It looks you wanted to
have a CVE assigned trough this reply to the list. CVE's cannot
anymore be requested via the oss-security list. If you want to request
one please have a look at https://cveform.mitre.org/

Once you have the CVE assigned, can you please loop back the
assignement in this thread?

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: